Modern society is almost completely dependent on the state of security of information and cyber infrastructure in all spheres of human life. The ability to use both information and cyber technologies, as well as information and communication networks to achieve your goals, is available not only to the state bodies, but also to criminal and terrorist organizations. In this regard, ensuring cyber and information security of the critical state infrastructure has become an ultimate condition for providing the state defense capacity, in particular in the context of the war with Russia.
PIMEE, within the ELECTRON Project, conducts the primary state examination of the integrated information security system in automated systems, at critical infrastructure facilities, assesses information security in automated systems, and checks the effectiveness and support of complexes and systems for protecting information from unauthorized access at energy facilities. Cybersecurity and sustainability of energy sector facilities characterizes the degree to which energy complexes fulfill their functions in society and the state in normal, critical and emergency circumstances [1]. Enterprises and institutions of the energy sector play a key role in the development of the state [2]. Industry remains the main consumer of electricity, although its share of the world’s total electricity consumption is declining. In industry, electricity is used to drive various mechanisms and technological processes. Today, the power drive’s electrification ratio in the industry is 80%. Energy sector facilities are strategically important and must continuously operate and provide quality services.
As shown by the analysis performed during the first stage of work under the ELECTRON Project, the main cyber-attacks differ in their consequences and methods of impact. Attacks on utilities in 2015 were not entirely self-organized. In 2016, the malware, which already provided for self-organization of actions during attacks and operation, became more efficient. In addition, after conducting a study, the ESET specialists stated that Crash Override is capable of physically destroying power systems. CrashOverride [3] software is able to send commands to the power grid to turn on or turn off the power. According to them, Crash Override can use a known vulnerability in Siemens equipment, in particular the Siprotec digital relay. Such relays are installed to protect and control distribution and transmission networks. A specialist from the American cybersecurity company SANS Institute has found that the disconnection of a digital relay can lead to the network’s thermal overload. Thus, Crash Override can provide a planned attack on several critical parts of the energy complex. In this case, there can happen a nationwide power outage as the load moves from one region to another.
In December 2015, it was detected an advanced persistent threat (APT) in the automated power grid control system. The internal networks of the Ukrainian energy company Prykarpattyaoblenergo PJSC were attacked [4]. Because of this cyber-attack, a significant part of the region and the regional center remained without power for several hours. 30 substations were shut down. About 230,000 people remained without power supply from one to six hours. BlackEnergy malware was used during the attack. The BlackEnergy group attacked the Ukrainian power grid using the BlackEnergy and KillDisk malware families. This was the last known use of the BlackEnergy malware in the real world. After the attack, it turned out that the BlackEnergy group consists of at least two subgroups – TleBots and GrayEnergy.
In particular, in December 2016, the GreyEnergy team developed a worm similar to NotPetya, and later an even more advanced version of this malware was used by the TeleBots group during the attack in June 2017. GreyEnergy has broader goals than the TeleBots group. GreyEnergy is primarily interested in industrial networks of various entities responsible for critical infrastructure, and, unlike TeleBots, the GreyEnergy group is not limited to Ukraine [5].
Based on the foregoing, it is obvious that one of the primary problems of ensuring cybersecurity of critical energy facilities and energy systems in general is the development of both new methods and tools and the development of probable scenarios of cyber-attacks. Determination of the order of threat analysis and risk assessment, including the criticality of information technology of the target functions of the energy sector and the cost of protecting resources and IT systems. Determination of the testing procedure and the composition of tests to determine the weaknesses (vulnerabilities) of the analyzed systems, up to the organization of artificial cyber-attacks to determine the reliability and identify weaknesses in existing protection systems, and the composition of recommended measures to improve the reliability of the systems, a list of possible cyber-attacks and actions necessary to their reflection, the regulations of measures to eliminate the consequences of cyber intrusions. On Digital Security in Ukraine, the aim focuses on increasing the security of current applications, services and infrastructures by integrating state-of-the-art security solutions or processes, supporting the creation of lead markets & market incentives in Europe, following an end-user driven approach, including for instance law enforcement agencies, first responders, operators of critical infrastructures, ICT service providers, ICT manufacturers, market operators and citizens. The abilities of participation in ELECTRON Project allows to provide the implementation of next-generation power systems capable of resisting energy systems against cyberattacks, increasing data confidentiality through four main initiatives: risk assessment and evaluation, detection and prevention of anomalies, mitigation of failures and acceleration of systems recovery, elimination of internal threats and through staff training and certification.
ELECTRON Project is developing exactly for this scope, to cyber-fortify the European EPES infrastructure by enabling and coordinating advanced, adaptive, and cooperative detection of large scale, cyber-human security and privacy incidents and attacks.
References:
[1] The concept of development of the sector of security and defense of Ukraine, put into effect by the Decree of the President of Ukraine dated March 14, 2016 No. 92/2016.
[2] Cybersecurity Strategy of Ukraine, approved by Decree of the President of Ukraine dated March 15, 2016 No. 96 (Officer Vision of Ukraine, 2016), Ed. 23.
[3] Middleton, A History of Cyber Security Attacks.
[4] Bruce Middleton, A History of Cyber Security Attacks: 1980 to Present (New York: Auerbach Publications, 2017).
[5]“GreyEnergy: A Successor to BlackEnergy,” White Paper (GreyEnergy, October 2018), Available at: www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf(link is external)