Energy companies and water utilities must treat cyber risks as permanent and persistent risks to their entire enterprise, and develop an organisation-wide cyber strategy to ensure effective risk management. Dr Christoph Frei, Secretary General of the World Energy Council, explains how the hydropower industry can combat rising cyber threats.
The energy world is undergoing a grand transition driven by a combination of factors including the fast-paced development of new technologies and an unstoppable digital revolution.
Cyber threats and the impact of digitalisation on the future of the energy system, are among top issues keeping energy leaders awake at night in Europe and North America.
Increasing interconnection and digitisation of the energy sector including smart grids, smart devices and the growing internet of things and its critical role in the functioning of a modern economy make the energy sector a highly attractive target for cyber-attacks aimed at disrupting operations. Although digitisation increases operational efficiency in the industry, growing interconnection also raises the complexity of cyber risk management.
According to our recent ‘Road to resilience: Managing cyber risks’ report, cyber risks present a unique concern in the energy sector because an attack on energy infrastructure has the potential to cross from the cyber realm to the physical world – a cyber-attack could cause, for instance, a massive operational failure of an energy asset. Large centralised infrastructures are especially at risk due to the potential ‘domino effect’ damage that an attack on a nuclear, coal, or oil plant could cause.
The energy sector is of particular concern where an attack on an operating system could cause infrastructure to shut down, triggering economic or financial disruptions or even loss of life and massive environmental damage. The potential for physical damage makes this industry a prime target for cybercriminals, state-sanctioned cyber-attacks, terrorists, hacktivists and others looking to make a statement.
For example, what would have happened if an attack on Saudi Aramco such as the one in 2012 with Shamoon virus would cause a fire or explosion affecting pipelines, refinery and/or storage facilities? What environmental damage would have arisen from such an attack and what potential knock-on effects would emerge if one of the world’s biggest oil producers were unable to provide a stable supply to the global economy?
Increase in threats
Transitioning to a new energy system will not come free of new or shifting risks. High uncertainty in the context of rapid change and technological and system innovation can deteriorate long-term investment planning certainty while delaying investments into critical infrastructure. Further, more digital entry points may well increase exposure to cyber risks. However, distribution of information and more local empowerment can also enable improved response and black-starting capability.
The findings of our World Energy Issues Monitor, which began tracking cyber risks in 2014, show that the focus on cyber threats by energy leaders varies around the globe, but the concern over cyber threats is among the top insomnia issues in Europe, East Asia and North America.
Incidents within the energy sector in 2015 saw a 20% increase compared to 2014. The energy sector accounted for 16% of the attacks, behind only critical manufacturing, at 33%.
Over 100 cities suffered from a blackout In Ukraine on 23 December 2015, as hackers breached the electricity grid’s cyber security defence system (SCADA) – supervisory control and data acquisition, a computer system for gathering and analysing real time data, used by energy and water and waste control industries. seven 110 kV and twenty-three 35 kV substations were disconnected, causing a three-hour outage for around 80,000 customers. This attack was the first publicly acknowledged cyber event impacting a country's power supply
By using destructive malware, computers and control systems were damaged, and it took some time to repair.
A multi-country study by Ponemon Institute LLC: ‘2015 Cost of Cyber Crime Study’, found that the average annualised cost of cybercrime in the financial services and utilities and energy sectors is substantially higher than the cybercrime costs of organisations in healthcare, automotive and agriculture, with the average cybercrime cost in the utilities and energy sector at US$12.8M. In response to the rising threat, the investments required to protect against cyber risks are also increasing for the industry.
In Europe alone, according to Bloomberg, consulting and testing services associated with cybersecurity at utilities are expected to be €412m (US$564m) a year by 2016.
Threat to utilities
In the realm of cyber security, the risks are different from what they were just a few years ago, with opportunities for malicious activity increasing at an unprecedented speed, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity and confidentiality of electronic information.
With the convergence of operational and information technologies, attacks are getting increasingly sophisticated. The security challenges of sub-systems, combined with an increasingly distributed and multi-functional environment, therefore only increases the energy system vulnerability and potential level of cyber threats to utilities.
In 2013 a hacker allegedly targeted a small dam in Rye Brook, New York, America. The infiltration of the Bowman Avenue Dam represents a frightening new frontier in cybercrime. We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse.
How can the dams and hydro industry protect itself?
The hydropower sector is set to double capacity to 2000GW capacity by 2050. It has enjoyed healthy growth in capacity worldwide over the last decade as stakeholders continue to value the potential of hydropower development to help meet growing energy demand. Hydropower’s stock is also set to rise thanks to the multiple roles of hydro projects
Hydropower is a mature technology that is reliable and well understood by planners. Its high efficiency levels of up to 95% can have a major impact on total generation, which in turn impacts the financial performance of a hydropower station. Therefore, there is a significant market for refurbishing existing plants and powering of previously unpowered dams, particularly in more mature markets such as the US and Western Europe, where greenfield development is uncommon.
Technological innovation over the past few years has focused on increasing the scale of turbines, improving their durability and flexibility, and reducing environmental impacts. Such advancements continue to increase generating capacity, and mitigate the impact of new and existing stations.
To perpetuate developments and innovation in the cyber security sector, vast public and private investments will be required. Technological and organisational advancements are needed to continuously improve efficiency of cyber security efforts, matching developments in complexity of cyber threats. Potential damage from cyber threats is boosted by both developments in malware and the increasing dependency of critical infrastructure upon ICT systems. Decisions on the level of cyber security investment should be therefore made in view of the potential costs of an attack.
The European Commission has pledged to invest EUR450M into a public-private partnership on cyber security that is expected to further trigger EUR1.8B of investment.
Therefore, as the global energy architecture evolves and expands to meet growing energy demands and the challenges of decarbonisation, the utilities industry and energy sector need to increase and embed cyber resilience into its energy assets.
Energy companies and water utilities, must treat cyber risks as permanent and persistent risks to their entire enterprise, and develop an organisation-wide cyber strategy to ensure effective risk management.
Working across sectors and collaborating with governmental and private sector institutions can help utility companies gain a better understanding of the nature of cyber risk impacts. International cooperation must be enhanced to strengthen the cyber security and resilience of energy systems. Disseminating information about incidents, sharing best practices and introducing international cyber security standards are key elements for addressing the challenge.
If the energy and utility industries implement risk protection and resilience measures, the financial and insurance communities will be able to provide coverage for damages at achievable prices.
Decentralisation and distribution are critical elements for future cyber security developments. There is debate in the expert community on whether Blockchain may hold the key to a decentralisation of command systems such as SCADA. Records can be kept on various computers and servers around the world, removing the central point of failure from the equation.
Technology vendors can also play a critical role in furthering, or hindering, the resilience of energy infrastructures within the water utilities industry. These firms must ensure that they deliver technologies that have security standards built into their products. Without doing so, ICS and SCADA controls can compound cyber risks, and increase the vulnerability of energy operations to attack
If hydro power is going to double its role in supplying electricity along with the energy transition, the sector has to avoid the digital traps of the 21st century and not only deliver the technical solutions but also lead the cultural change that it takes to do so.