On 23 December 2015, inside a Prykarpattyaoblenergo energy control centre in Ukraine, a world-first occurred.
A more-than-likely Russian malware attack gained access to the utilities’ network and manually switched off 30 substations leaving 230,000 Ukrainians without power.
Power was restored relatively quickly – between one and six hours depending on the region.
But the incident left many to question the vulnerability of their own power grids.
In Australia, the growing complexity of monitoring systems and sensor technology as well as the increasing uptake of renewable energy sources, is leaving our power supply exposed according to experts.
Energy Industry Director at analyst firm Frost & Sullivan, Ivan Fernandez, said security is now a genuine concern for the energy sector.
“The cyber attack on the Ukraine power grid was a wake-up call not only for the industry but for us analysts,” said Fernandez during a panel discussion in Sydney. “It showed us the extent and scale of damage that’s possible with a well-planned cyber attack.”
“We did a global survey in 2017 across IT decision-makers in the energy and utilities space asking what were the key challenges and top-of-mind concerns.
“The number one challenge for them was not about aligning IT with the business or systems integration or compliance.
“It was simply security – their concerns were around espionage, cyber warfare and malware.”
A secure design
For co-founder and CTO of CQR Consulting, Phil Kernick, security is missing in the design of some of these systems.
“With a few notable exceptions, there are no standards that are deployed in the energy sector in a control environment,” he said.
“None. No governance, no policies, no procedures, no documentation – it’s just built the way it was built over the last 20 years by the people who built it.
“It’s the IT of the 1980s and 90s writ large in the energy sector today.”
As well as legacy systems, up-and-coming start-ups are also missing the mark when it comes to energy security, according to Energy Solutions Manager at Indra Australia, Giovanni Polizzi.
“A lot of start-ups, in Australia especially, are producing devices connected to energy resources which have absolutely not undergone any type of cyber security survey or testing,” he said.
“When we’re talking about the retail market, we have to go very low in price for the device we produce, otherwise people won’t buy it.
“And that basically means that companies buy electric boards from the Chinese market, which are normally open-design, so very easy to duplicate and no embedded security.”
Energy Solutions Manager at Indra Australia, Giovanni Polizzi (L) and Co-founder and CTO of CQR Consulting, Phil Kernick. Source: Supplied
This was a point echoed by Kernick, who called on the government to step in.
“Utility companies are profit driven and so why should they be expected to volunteer to spend more on IT security?” he said.
“There could be an argument that this is a situation where government needs to step in and wield a big regulatory stick.”
Complexity is killing us
While the Internet of Things can and will offer improvements to the way in which energy usage is monitored, there is an inherent security risk that comes with bringing more and more devices online.
“You have a growing number of devices across the utility infrastructure that have never before been connected to the internet,” said Polizzi. “This may create security issues as it opens new opportunities for cybercriminals to launch attacks.”
But the energy sector is not alone in this space, according to Kernick.
“The complexity is killing us everywhere, and it isn’t just this [energy]. I can’t think of one [industry] that’s solved it well.
“I can’t think of one industry that’s gone ‘we are leaders in this space, we take your security seriously’ and meant it.
“We still don’t have regulation that requires trusted computing in the computing modules of the cars of today -- forget the cars of tomorrow.”
Could what happened in Ukraine happen in Australia?
But could a cyber attack cause a nationwide power outage here in Australia?
Sort of.
“We have the potential of a Ukraine type issue here,” said Kernick. “But I don’t see this as being a nation-state attacking us, although that’s entirely credible, it’s going to be fat fingers.”
“It’s going to be someone screws something up, someone messes the configuration up, someone connects this switch to that switch when they shouldn’t have.”