Picture the scene – it’s the middle of winter in Ukraine with temperatures barely reaching above freezing and the power goes out. Not only does it go out but no one can tell you what is going on.
That’s what happened to 230,000 people in December 2015 when a cyberattack took place on the Ukraine power grid. Hackers successfully compromised the systems of three energy distribution companies and switched off 30 substations.
At the same time, they destroyed or disabled IT infrastructure components and files stored on servers. All while launching a denial-of-service attack on call centres to keep up-to-date information from consumers during the blackout.
This is not a movie plot. It was a reality. Hackers had carried out the first known successful cyberattack on a power grid. Rather than going just for the tradition information technology targets, hackers had been able to take over operational technology (OT).
“One of the most terrifying things about this hack was that it didn’t start on the day that the power went down,” says Laith Amin, senior vice-president at Advisian Digital, part of WorleyParsons Group.
“It started long before that in the form of spear-phishing emails that contained the BlackEnergy malware. You see, successful cyberattacks are the ones when you don’t know the hackers are there until it’s too late.”
Alarming stuff, especially since it’s not simply the cost of these cyberattacks that need to be considered: the potential risk to human life with OT hacking is massive. Infrastructure, power plants, hospitals – all these rely on OT as well as IT.
Unsafe “Ëœair gap’
Traditionally, companies have focused on the “Ëœair gap’ when it comes to keeping their plant safe from a cyberattack. This air gap assumes that a company’s IT is in no way connected to its OT. But as technology becomes more sophisticated this is no longer the case, or even desirable. Laptops, iPads and mobile phones are now being utilized more than ever in plant environments but often with the focus still being on the fact that the air gap will protect. It won’t.
What’s more, continuing to maintain the air gap offers no value to customers. “Everything we know at Advisian Digital says that the real value comes from connecting your operating technology to your information technology,” says Amin. “Digital asset transformation itself means connecting your IT infrastructure to your plant OT. You can get a lot of value and productivity benefits by doing that, as you are able to control things like predictive maintenance, preventative maintenance, and condition monitoring remotely using your IT.”
So where IT has firewalls, virus protections and regular patches made by Microsoft, Apple and other technology companies to help safeguard it, what’s in place for operational technology?
“In the US, there’s National Electrical Reliability (NERC), which has standards that guide asset owners on how they can reduce their vulnerability in terms of cybersecurity. There’s also the UL Standard for Software Cybersecurity for Network-Connectable Products (UL 2900), which was published in 2017 and created after evaluating the complexities and challenges associated with cyber risk,” explains Amin. “But that’s all very new.”
However, while technology vendors may now be releasing OT equipment that does keep plants secure, this doesn’t remove the question of existing OT and whether it’s protected. “Buying the latest secure technology for one aspect of your plant is pointless if you’ve still got aging technology elsewhere. Or your operators don’t understand the importance of software updates, closed ports and other risks. Outdated equipment, either through lack of updates or age is a weak spot that hackers will find,” Amin points out.
“When you apply it to everyday life it makes perfect sense,” explains Amin. “You might have heard of the Black Hat hack of the 2014 Jeep Cherokee where – in a controlled demonstration to expose the weakness – hackers took control of a car from a remote location? They could change everything from the radio music to the effectiveness of the accelerator and blasting the car with air conditioning. Hackers had discovered that a vulnerability in the car’s built-in Wi-Fi service enabled anyone who knew the IP address of the car to access the car’s functionality.”
Amin pauses to let the reality of this news sink in before continuing. “Even more interestingly, while Fiat Chrysler issued a patch, owners had to go into the dealership to have their cars updated by engineers or update it via a USB themselves. Once again placing the responsibility on the least informed party and leaving potentially thousands of cars exposed to hackers.”
Changing cybersecurity culture
It’s a cultural change, too. The operator’s workforce has got to be behind the changes. Employees have got to play their part in updating the software, be aware of the risks of creating vulnerabilities, and looking for anomalies in the system.
Again, it helps to translate this into everyday scenarios, explains Amin. “You update your phone software. You know you should have complicated passwords that you don’t share. You have firewalls. You don’t open attachments from people you don’t know. And one step further than that. If someone was peering through your neighbour’s window, you’d probably investigate, or if someone was opening a car with a crowbar, it might get your attention. If something looks odd in your data, it probably needs checking out.”
“It’s about getting your workforce to apply that level of thinking to their office technology, and hammering home the message both within WorleyParsons and to our customers that cybersecurity is everybody’s problem and that anyone can become an expert in safeguarding their company’s assets,” he adds.
Amin breaks down his advice into three easy steps for operators to understand. The first is making them aware that there is an international cybersecurity standard to be able to test and verify conformity to that standard for all your control systems. “If it doesn’t meet the standard, you don’t install it,” says Amin bluntly. “Or that’s your weak point for the hackers.”
The second? “Don’t assume a successful attack is when you’re going to know about it, when your plants been shut down, or something’s been tripped. That’s not a successful attack, that’s a failed attack. A successful attack means they’re in your plant environment now and they’ve got control but you don’t know it yet. The only way to detect this is to monitor everything. Look for little changes, anything unusual and collect the data for analysis so you can detect any anomalies early on.”
And finally? “Make sure every single piece of equipment you have is 100 per cent covered and kept that way. Build into your business culture the importance of updates, of not leaving vulnerable ports open, of the fact that there is no longer an air gap between IT and OT. Use the UL2900 as a design standard for security and act to maintain conformity permanently during the operating phase of your asset.
It sounds so simple, but Amin estimates that only 1 per cent of the industry has secured its OT in part because a lot of this technology is still very new – the standard itself only came out last year.