In previous articles I've looked at the inherent vulnerability key parts of our infrastructure suffer from as they become more connected. Whether it's the satellite networks that power so many services or our utility networks, the connected nature of modern industrial infrastructure poses clear security risks.
Research from Georgia Institute of Technology highlights how IoT botnets can be used to cripple energy networks by causing a surge in energy usage. The idea is that the various connected devices in our homes, such as smart thermostats or air conditioners, could be hacked into and used to manipulate demand on the electricity grid at any particular times.
The researchers used publicly available data from the energy markets in California and New York to allow them to see fluctuations in both the real-time market and the day-ahead market, both of which are used by traders to forecast for errors and other unpredictable events. They used this data to calculate how hackers could use an IoT-based botnet to alter energy pricing, with various scenarios modelled so that they could manipulate the market without triggering any red flags and alerting officials to their presence.
Attacks for hire
Botnets are a familiar part of the cybercriminals arsenal, and are commonly available for hire on criminal forums. The kind of high-wattage devices spoken about in the paper are nowhere near as easy to amass, however, and are therefore nowhere near as readily available to criminals. They are an increasingly common threat, however, with the Federal Energy Regulatory Commission identifying 16 possible cases of market manipulation in 2018.
The Georgia researchers suggest that even minor demand fluctuations could have a significant, and profitable, impact upon pricing. They believe that delivering such a fluctuation could be achieved with a botnet containing as few as 50,000 infected devices.
This compares with more traditional botnets that often run into the millions.
What’s more, the subtle nature of the changes imposed upon devices is likely to render it undetectable by end users, especially if the attacks are performed when they are likely to be asleep or at work.
For instance, according to their calculations, the researchers believe a profitable attack could result in a spike in consumer energy usage of no more than 7%, which is likely a small enough shift to pass undetected. If such an attack were performed every day for up to 100 days per year, however, it could yield a bounty of up to $24 million per year.
Investment is growing, but infrastructure is still vulnerable
Suffice to say, these calculations assume that a single attacker is hitting the grid at any one time, as multiple attacks simultaneously would be far easier to spot, and the likely returns would diminish with each simultaneous attacker. It’s a nice example of the increasingly novel ways in which the energy sector has to remain vigilant to cyber attack, and underlines why a recent report from Accenture on digital trends in the energy sector saw cybersecurity placed as the main focus for industry professionals.
The report revealed that 61% of energy executives are investing in cybersecurity, which is roughly five times the number that said the same in the corresponding report back in 2017.
It underlines the greater investment across the sector in cyber resilience. It’s a level of investment that has left the sector quietly confident that they can fend off most of what cybercriminals can throw at them, but the fact that just one in three energy firms plan to increase their cybersecurity spending in the next three to five years suggests an industry that might be resting on its laurels.
This is risky, as data from McKinsey found that 60% of key infrastructure companies had experienced a breach of their industrial control or supervisory control and data-acquisition systems in 2018. This follows high profile attacks on Eastern European power-distribution grids in 2015 that cut power to around 230,000 people, with hacking groups such as Dragonfly developing destructive expertise in this field.
The difficulty of protecting this vital infrastructure is compounded by the expansive geographical footprint networks deploy. This is especially so with attacks using botnets where security vulnerabilities are the preserve of a vast network of third party developers.
While the Accenture data does suggest the industry is appreciating the importance of bolstering cyber defences and moving on from the physical defences that have been the sector's bread and butter for a generation. It's vital that these efforts aren't allowed to stagnate, however, as the range of possible attacks does not stop growing. The sector also suffers from the skills shortage that is common across the economy, but with energy often unable to provide either the salary or the glamour of other sectors, attracting the talent required to keep infrastructure safe remains an ongoing concern.
Regulatory oversight will drive transformation
Digital transformation is underway across the energy sector, and it has to be hoped that the initial focus on cybersecurity ensures that security is built into these efforts from the get go. Given the strategic importance, however, it's quite probable that governments and regulators will force the hands of energy providers, with the North American Electric Reliability Corporation (NERC) already empowered by federal law to police the Critical Infrastructure Protection (CIP) standards.
NERC have already issued millions of dollars in fines for non-adherence, and similar regulations exist in the UK and EU.
The Federal government has also issued a request to the industry for insight into how the sector is protecting itself from foreign attack, after Russia and China were both identified as possible adversaries.
“A successful attack on the [Bulk Power System] would present significant risks to the U.S. economy and public health and safety and would render the U.S. less capable of acting in defense of itself and its allies,” the request says.
The need to secure infrastructure from threat is evident, and while the industry does appear to be taking steps to protect themselves, it remains to be seen whether those steps are sufficient to retain their independence or whether the state steps in to force cyber regulations upon them.