IN DEPTH: The green hacking threat

A collective of Eastern European hackers known as Dragonfly was last year found to have infiltrated the computer systems of hundreds of energy companies across the US and Western Europe.

They included renewables firms in a programme of espionage that “bears the hallmarks of state-sponsored operation”, according to digital security firm Symantec.

In May, the US Department of Homeland Security revealed that an “advanced hacking group” had compromised the control network of an unidentified public utility. A month later, the US traced dozens of hacking attempts on utilities and gas pipelines in 2012-13 to the Chinese army.

The US National Security Agency believes that electricity grids top the cyber target list for terrorists and rogue states.

Cyber attacks against vital energy infrastructure are growing, and growing ever more ingenious — increasing the risk that criminals or spies will one day be able to cause extensive grid shutdowns and blackouts.

“If you look at the information made available in the past year from the US Department of Homeland Security, you will see that the majority of cyber incidents occurred on energy infrastructure,” says Maurice Adriaensen, the head of DNV GL’s department of operational excellence.

“Cyber security is a subject that the US and Western Europe has got very interested in because the electrical infrastructure is so important and everything else depends on it,” David Walker, the chief executive of DNV GL-Energy, tells Recharge. “The fact that energy companies — be they oil and gas, power utilities or renewables firms — are not always the most popular appears to make them all a particular target for hackers.”

US utility bosses began meeting with senior Homeland Security officials last year, looking for ways to detect cyber attacks, block them, and to quickly restore power should an attack succeed. This February, President Barack Obama signed an executive order calling for an assessment of which parts of the American electricity grid are most at risk.

In Europe, countries have responded to the threat by establishing national cyber security centres to monitor their critical infrastructure.

But it is the power utilities that will have to foot the multi-billion-dollar bill for the enhanced security — at a time when they are already grappling with a host of grid challenges and, in many places, a fall in income due to the rise of distributed renewables.

“The amount of interconnected information and communications technology components being integrated into the grid is challenging [security] reliability,” says Adriaensen. “Therefore the amount of cyber vulnerabilities is also increasing.”

Renewables firms should not consider themselves immune from attacks. “The wind industry itself and specific parts of it, are very much aware of the threats and the actual situation,” Adriaensen tells Recharge. “There have already been incidents, but there hasn’t been much said about it, probably because everybody would like to keep it low-profile.”

Symantec says that the Dragonfly collective have already attacked renewables companies via phishing emails and so-called “watering hole attacks”, where external websites likely to be visited by the intended target are infected with dangerous malware that will automatically download to their computers when they click on the site. As a result, hackers were able to compromise industrial control systems, while the malware was able to replicate itself and spread to other computers on the network.

And energy companies do not only have to worry about internet-facing systems — they also need to protect their internal networks. Power management systems, supervisory control and data acquisition (Scada) systems and smart grids — which enable real-time monitoring and control of production facilities and transmission networks — increasingly utilise the web (and standard internet protocols) to improve their connectivity and communication speed.

“Any attack on these systems has the potential to impact not only business operations, but also result in financial loss, affect thousands of customers, severely harm the company’s reputation and even put lives at risk,” says Sean Newman, security evangelist at Cisco unit Sourcefire, adding that security breaches of such systems are on the rise.

“I have had meetings with wind turbine manufacturers, and project developers/operators, and I had the impression they are less aware of these cyber threats than, for example TSOs [transmission system operators],” says Adriaensen.

Around one third of the 61 power and utility companies recently surveyed by management consultants Ernst & Young said they were each spending more than $3m a year — at least $183m in total — on information security, including protection from cyber threats.

Market researchers at the International Data Corporation estimate that consulting and testing services associated with cyber security for European utilities will more than double by 2016, to be worth €412m ($564m) a year.

DNV GL is among those hoping to take a large slice of this pie.

Adriaensen, 35, who is in charge of DNV GL-Energy’s global intelligent network and communication team, runs a department providing global cyber security advisory and test services for infrastructure operators, owners and manufacturers. He can call on 90 experts in Europe, Asia and the US, and has commercial responsibility for a 60-strong European team, based in Arnhem, the Netherlands, where the company has a cyber security test laboratory so secure that Recharge was not even allowed to look inside.

Mitigating the risks first requires an organisation to identify what those risks are, explains Adriaensen, which is why his department has devised a “health test” for testing and validation of cyber security systems.

“So this is all about how you test the system, with reference to a list of standards about how you should behave,” says Adriaensen. “A second layer is based on common criteria methodology to assess the device.

“A third step is based on an assessment where we look at a database of known vulnerabilities. A group of professional ‘ethical hackers’ have been used to test systems. “We don’t have these hackers on our payroll, but we use their knowledge and input, via the database.

“We are also working with the European Union Agency for Network and Information Security in helping to make proposals for the transition to one common EU standard for dealing with cyber security issues.”

Adriaensen acknowledges that there is no such thing as a 100% secure system and that, to some extent, the industry is always going to be one step behind increasingly sophisticated hackers.

“The hacking problem is definitely increasing, but today we are monitoring it much more closely.

“There is much more awareness than there was five years ago, and nowadays utilities register when they are under attack. It is a battle we can and must win.”

As Newman says: “It is now not a case of if you will be attacked, but when and how often.”