Cyber Attacks: A New Threat to the Energy Industry Edito Energie
The Network and Information Security (NIS) Directive has been adopted on July 6th, 2016 by the European Parliament, three years after the initial proposal by the European Commission. It paves the way for a much needed common cyber security strategy within the EU. This Edito explains the reasons why the energy industry is particularly vulnerable to cyber attacks, and what tools this new directive brings about to protect European critical infrastructures.
In about two decades, the energy industry has been deeply transformed by the digital revolution, which penetrated companies’ commercial, administrative and financial branches, but also their industrial systems. From the optimization of electric grids to the precision of oil drilling, information and communication technologies (ICT) are now essential to every stage of energy production, transport and distribution processes. Data mining and analysis are increasingly considered as the energy sector’s new “black gold”, and generate new activities just like the platform Predix, designed by General Electric to help energy companies (among others) collect and analyze industrial data.
This silent revolution offers countless economic opportunities and paves the way for a better resource distribution and use. But it also puts physical energy infrastructures at risk.
An Expanding Threat
The 23 December 2015 in Ukraine, a cyber-attack on several regional grid operators deprived more than 200 000 people of electricity for a few hours, and constrained operators to physically intervene at the substations to restore power. Since substations could no longer be remotely controlled, on-site interventions had to be maintained during several weeks after the event in order to ensure the electricity delivery. The use of common hacking methods such as phishing, combined with a very precise knowledge of Industrial Control Systems (ICS) dealing with electricity distribution, allowed attackers to remotely activate breakers in about 30 electric substations and cut the power off.
This was the first time a cyber-attack targeting the grid had physical consequences. Few attacks are likely to have such implications. All experts agree on the fact that the level of preparation and coordination, the degree of knowledge of ICS targeted and probable financial means invested in this operation are not within reach of any criminal group, or State. Moreover, an on-field study conducted by several Federal US agencies found that the Ukrainian operators’ ICS were particularly well protected.
Ukrainian authorities have been quick to point at Russia after the event, and even if very few elements can lead to the conclusion that Moscow was involved in the attack, this event might well have a geopolitical background. The only other known cyber-attack with serious consequences on an energy infrastructure goes back to the Stuxnet worm discovered in 2010, designed to slow the progression of the Iranian nuclear program. A thousand uranium enrichment centrifuges were damaged by this malware, which went unnoticed for more than a year. Here again, strategic interests and the presumed support of two nation-States (the USA and Israel) make this attack remarkable.
Energy companies are more and more targeted by this kind of threats, and the structure of their activity makes them particularly vulnerable, for several reasons...
Read the full text in PDF below.