Attacks in cyberspace against entities in the energy and intensive-energy sectors can be very dangerous, because, after all, they can impact on critical infrastructure sites with vital significance to residents, economies, as well as entire countries and regions. The European Commission has long sought to establish a platform of agreement on this matter.
Most critical infrastructure sectors have been subjected, in recent years, to spectacular changes, primarily brought about by the application of information technology. The pace of change significantly complicates the analysed risk of potential threats. The ability to process and analyse information on the operation of systems and networks, changes the manner of their management and development. Changes in the energy sector, in which, additional technological factors appear, are especially dynamic. Renewable energy technology is expanding with the help of public policy support, which affects the expansion of distributed energy generation systems. New technologies and the mining extraction of fuels are changing the functioning of raw materials’ transportation. As a result, the energy supply chain is changing.
Pressure for change in the energy sector, is also exerted by political and market factors, as well as the regulations they bring about: for example, this includes the need to reduce carbon emissions, consumer protection, expanded competition and increases in the security of supplies from renewable sources, the introduction of solutions increasing the importance of security issues, cyber threats, and the protection of systems against natural disasters and extreme weather events.
The complex influence of these various factors, is also evident with the appearance of local policies on the procurement, use, saving and storage of energy at the level of agglomerations. Advanced concepts, in the planning of smart city development, signify an integration of the energy distribution systems, transport networks, signalisation, sensors, visual monitoring, water networks, sewage, broadband networks, service to residents and municipal management. It is presently rare in such ambitious smart city concepts, to discuss deeper issues of cyber security. Nevertheless, given such planned undertakings relating to infrastructure and information about cities, cyber security has a clearly horizontal nature, and must be taken into consideration, especially in the aspect of energy supplies.
The effectiveness of the production, transmission, and distribution of energy has increased with the use of IT technology, but new forms of cyber vulnerabilities are also appearing. Many of them have not been taken into consideration at the stage of investment planning, in the energy sector, or even at a general-systemic level. Electricity generation plants, mines, oil refineries, oil and gas pipelines, and chemical factories, are often highly complex, and consist of vast infrastructure network systems. Their operation is generally based on the ability to monitor and control numerous processes. The application of Industrial Control Systems (ICS), in particular, SCADA (Supervisory Control and Data Acquisition), that developed in recent decades, perfected remote steering and management of industrial processes. Initially, they were constructed as completely isolated systems, that were based on proprietary solutions of selected producers. Presently, there's a multitude of various classes and purposes, at thousands of existing installations of programmable logic controllers (PLC), driving valves, electromechanical switches, and sensors, that were constructed with very limited security, in terms of today's standards against external attack. Many of them use communication protocols that were developed 20-30 years ago. Their massive scale of replacement cannot take place from an economic, or even technical standpoint, thus, an improvement in security, if at all deemed necessary by an owner, takes place through various types of especially developed "patches”, whereas, even software updates usually seem to be a temporary solution. This usually entails high costs, thus, the drive to improve security, should appear in applicable law and technical requirements that countries impose, in connection with the need to protect critical infrastructure.
This is, nevertheless, a growing need which stems from fundamental knowledge on the subject of threats in cyberspace. The very rapid development of data processing systems in computers, as well as digital networking technology development, resulted in industrial installations beginning to adopt standard technologies, embedded systems’ platforms based on various off-the-shelf devices, routers, modems, and commercial software. There is also an unavoidable interconnection of ICS networks with corporate IT systems, and inter-networking with commercial networks and the Internet. Digital technology enablers have led to a reduction in the costs of investment, development, and maintenance. Digital transformation, in essence, means the introduction of new applications, mobility in monitoring and management, the implementation of advanced smart solutions, and integration with robotic systems.
Unfortunately, attacks on industrial systems from cyberspace, have become increasingly popular among hackers. Such incidents are seen as potentially very threatening, and at times, they are often identified, only after having taken place. In building a defence, consideration should be given to the growing professionalism of attackers, the formation of specialised groups, their ties with organised crime, and actions ordered by competitors, including foreign governments. Attacks on important critical infrastructure installations, may, at times, lead to the theft of sensitive information, and lengthy actions through stealth. This is even worse, when the purpose of an attack is to uncover the possibility of permanent damage, or destruction of an installation. This may be an element of dirty tricks by competitors in the race for markets, the desire to delay research-development, or, in the worst cases, support for military action.
The repertoire and manner of attacks in cyberspace are constantly changing, and even surprising experts. Attackers do not always resort to the increasingly inventive technical means. They use, for example, all elements of information war, such as hiding traces, drawing attention from the true target, and providing company security specialists with other harmful software.
Common defence is easier
Cyber defence, at the level of a specialised security department in a firm, is often difficult, especially, if this is not the company's basic business. A security department is rarely able to significantly influence a company's application and understanding of business needs. Company management boards are nominally responsible for security, but this is also not always followed by a constructive understanding of threats or, moreover, the desire to finance appropriate remedial measures.
Legal requirements are helpful, as they also allow for an exchange of experience and knowledge. For this reason, many countries have decided to impose special laws on the protection of critical infrastructure, or generally, with regard to cyber security. It is exceptionally vital, however, to take action at the EU level, primarily because problems of cyber security are strictly tied to the ability to create required standards. This is more effective when there is an economy of scale in each critical infrastructure sector. Cyber security has, therefore, become a key aspect of the Digital Single Market policy.
This was to be served by a Directive on critical infrastructure (2008/114/EC), but it mainly focuses on undertakings with a cross-border nature. More important is a draft NIS (Network Information Security) directive still under discussion at the European Parliament and Council. It is not problem-free, because market players in certain new Internet markets have still not matured and accepted the regulations, and, above all, do not wish to incur the costs of observing new obligations.
It is different in the energy sector, where understanding of the potential effects of cyberspace threats appears to be greater. Without delving into the detail of proposed solutions, it is most important to create sector mechanisms with a foreign exchange of information on threats and identified attacks, which facilitates joint action and standards to assess a risk, apart from CERT response teams. There can be everyday competition with regard to services and raw materials, but the countering of threats is in the common interest. Agreements are already being made at the level of the ENISA (European Union Agency for Network and Information Security) forum.
It is time to be fully aware that the problem of threats from cyber space will certainly not disappear. They will intensify, and require our attention. It is, therefore, worth jointly pondering on how to manage this issue.
Piotr Rutkowski, Counsellor, Technology Adviser, Wardyński & Partners, CEEP member