The current geopolitical context is a stark reminder that securing energy infrastructure control systems has become a strategic issue. Two principles should guide a robust cybersecurity strategy: “Zero Trust” and “Defense in Depth”.
Last spring, the world of cybersecurity was shaken by a series of announcements. On April 17, the US government, through the Cybersecurity and Infrastructure Security Agency (CISA), invited all operators of critical infrastructure to immediately reinforce security on their ICS / SCADA (Industrial Control Systems / Supervisory Control And Data Acquisition) devices and networks, following a malware attack targeting industrial systems.
A few days earlier, the Ukrainian authorities had announced that they had thwarted a major attack on their country’s power supply network. From the outset, Ukraine suspected Russian military involvement. “All energy suppliers […] should take note of this attack and ask themselves whether hackers could target infrastructure in the United States or other countries”, said Andrii Bezverkhyi, CEO and founder of the specialist threat detection firm SOC Prime.
“To secure energy infrastructure, each customer’s architecture and model has to be adapted”
Aside from the war in Ukraine, notes Naiara Pabo Busto, International Business Development Manager at Axians, the VINCI Energies ICT brand, “It is important to emphasise that Ukraine and the United States are not the only countries on the list of targets, which also includes current and potential NATO members, and other countries that support that organisation internationally”.
Energy on the front line
She adds that “Energy infrastructure is increasingly being targeted”, and concludes that “Energy security is therefore compromised, as well as supply continuity and other associated risk factors”. This growing threat highlights how energy infrastructure security is a key issue, whatever the country.
Energy transmission and distribution networks use OT (Operational Technology) and critical communications (SCADA, remote protection) to manage the hardware and software that control industrial equipment.
“Grid digitalization offer unprecedented business and operational benefits, such as grid automation and the integration of new value-added applications for Utilities. IEC 61850* offers interoperability and major benefits, along with digitalization. Nonetheless, digitalization and standardization adoption also increase the ways in which the systems can be attacked, because their devices, equipment, software and processes are all connected to the network. They are therefore more vulnerable to cyber attacks”, explains Naiara Pabo Busto.
To secure energy infrastructure, in addition to its basic resilience, a detailed understanding of the various processes, assets and communications in play, from generation to metering is necessary.
“To secure energy infrastructure, you must adapt to each customer’s strategy, architecture and different network environments”, says Naiara Pabo Busto, who recommends using step-by-step methodology compliant with current standards like IEC 62443** and cybersecurity frameworks such as the ones from the American National Institute of Standards and Technology (NIST).
According to the Axians expert, “The first step is to audit the entire energy infrastructure environment to gain full visibility of the network. This is a major challenge, because typically there are numerous obsolete devices installed in substations, and there is no way to beef up security on these (with encryption, authentication, etc.)”.
Two strategic pillars
“A Zero Trust approach implies that that only known and legitimate computing, IoT and OT devices, and their communications only are explicitly authorised”, explains Naiara Pabo Busto. “Defense in Depth is a concept that originated from the army. It was successfully transposed to cybersecurity, where numerous protective layers and mechanisms are provided to secure data, assets and critical communications. Defense in Depth offers mechanisms for redundancy and resilience in order to counteract a wide range of cyber attacks”.
For Laurent Chilaud, Development & Engineering Manager at SDEL Contrôle Commande (VINCI Energies – OMEXOM), “This in-depth protection, designed to integrate successive layers to make access more complex for potential attacks, may use a multitude of solutions: firewalls, IDS/IPS (Intrusion Detection/Protection Sensors), Role-based Access Control, VLAN, encryption”. However, the expert cautions that “A preliminary cost/risk analysis is essential, in order to adapt the protection system with maximum of effectiveness”.
* International standard defining communication protocols for intelligent electronic devices at electrical substations.
** Set of standard recommendations for cybersecurity in industrial facilities