Go directly to the content of the page Go to main navigation Go to research

After computer networks, malware is now targeting power grids. This is a major threat requiring protection to avoid potential catastrophe.

The idea of malware being able to map the internal IT network of a transformer station and sabotage it is not science fiction. Ukraine faced this catastrophic scenario in December 2016 when the Pivnichna HV transformer station near the capital, Kiev, tripped, causing a blackout across an entire neighbourhood. Technicians restored power by manually resetting the circuit breakers, which are controlled via the IT system. In Ukraine, what came to be called the Black Energy malware attacked the SCADA (Supervisory Control and Data Acquisition) system, which monitors and controls a full set of industrial equipment. How had it managed to infect the system?

Previously, information from a substation sensor was transmitted via copper cable to a telecommunication station, which forwarded it via the switched telephone network. But power systems have now switched to digital transmission via optical fibre cable in order to reduce costs and improve efficiency. The move makes them more vulnerable to cyber-attack. The malware virus exploits computer vulnerabilities to attack conventional IT infrastructure. But the ultimate target is the automated power grid control system.

Blackout risk

The structure of the Ukrainian power grid is not necessarily identical with that used elsewhere. “In France, power grids are highly compartmentalised. For example, the power transmission system has its own optical fibre telecommunication system, which is not connected to the Internet,” says Valentin Brehier, a systems engineer at SDEL Contrôle Commande, an OMEXOM network company.

The goal of the hacker is to take control of a large number of high-voltage transformer stations so as to isolate sensitive “pockets” (such as French departments or regions). “A region with high consumption and little generation capacity must be connected to a region that generates a large amount of electricity but consumes very little. If the attacker succeeds in separating them, one region will be over-producing and the power plant will be desynchronised, while the region that is over-consuming will cause the grid to collapse. If the attack trips the right circuit breakers, it can cause a blackout across an entire country,” says Valentin Brehier.

Cyberweapons attack industrial facilities

To protect against such potential blackouts, he says, parts of the grid can be segmented and privatised and “DMZs” (demilitarised zones) can be created. A service that cannot be completely isolated can then be placed in a particularly well-protected area.

The maintenance challenge

But the real problem facing industrial networks is their low level of maintenance. Industrial protocols lag behind those of IT systems: authentication and encryption procedures are weaker in industry for reasons related to performance. “The big challenge facing industrial infrastructure is upgrading systems that were not designed to be upgraded. In industry, a system that has been validated and meets functional needs typically remains unchanged. But if it is connected to an Internet gateway, it is no longer protected,” says the SDEL Contrôle Commande systems engineer. To protect it, a security layer must be built around these existing systems.

“France has always been circumspect when it comes to digitisation – which is fortunate, since we are therefore less exposed to risks. The segment between the secure and non-secure parts of the grid is private so the virus cannot use it to attack the remote control system, which has no connection gateway,” says Valentin Bréhier.

Cyber-attackers able to target a city or a country remotely tend to be State agencies, says the expert. ‘Zero day’ defects – IT vulnerabilities that have not been published or have no known countermeasures and can therefore be exploited to infect any machine – are available for purchase in the Darknet marketplace. For example, in 2010, the Stuxnet virus, the first cyberweapon deliberately created by hackers to remotely target and damage an industrial facility, targeted the centrifuges at the Natanz uranium enrichment plant in the Islamic Republic of Iran.