Power networks have become increasingly plugged into the ever-spreading digital systems that are now crucial to most big businesses. Energy providers are no exception and the threat from cyber criminals is a growing one.
Secure systems to power the future of smart grids
A new threat to personal information is emerging from an unlikely source: the humble domestic light switch.
As the digital age continues to grow, hackers are finding new ways to secure sensitive information that could have serious repercussions. And that information can now be gathered through power networks.
The introduction of smart grids, or the digitalisation of electrical power grids, has created new vulnerabilities as homes and utilities are beginning to rely on network connectivity.
Fadi Aloul, a cyber security advisor and professor at the American University in Sharjah, says smart grids are the future and offer several advantages over current systems such as being able to monitor electricity usage remotely via an electronic device.
Have you ever been on your way to work and suddenly wondered: “Did I turn off the coffee pot?” With a smart power system a user can check what devices are switched on in their home via a mobile phone. A user can turn off the breaker that powers kitchen appliances with just a screen swipe while they are not actually at home.
The Dubai Electricity and Water Authority (Dewa) began a smart metering pilot project in 2005 that led to the utility upgrading its automation network including communications systems and remote operations. Dewa’s smart networks and metering project, estimated to cost Dh7 billion, will replace 250,000 meters spanning over residential, industrial and commercial properties.
While this technology will elevate services, Mr Aloul cautions that there was no such existence of a completely secure system. Just like a user being able to access and cut power remotely, so can criminals.
“With every new gadget, there comes a lot of risk and security issues, especially at the beginning,” he says. “Security could come last on priorities – that gives hackers the freedom to take advantage.”
Mr Aloul says criminals could monitor a consumer’s home network to access data. This could include electricity usage, which may indicate when a homeowner is out of town, giving useful information to a potential burglar. A more serious risk could be the compromising of sensitive information on a home computer. “Everything is physically accessible with a smart grid,” Mr Aloul says.
Home networks are especially vulnerable because the public is not well educated about the risks, he says. By contrast, companies such as utilities funnel money into making servers stronger. “The human security [aspect] is the weakest link in any organisation and that’s what most hackers are after.”
Mr Aloul says there are three main entry points, or gateways for cyber criminals, in smart grid networks. These include: home devices such as meters; utility companies; and the network in between such as transmission and distribution lines.
Utility and commercial operations have already seen attacks from large, organised hacker groups, which ultimately hurt companies and sometimes governments. In addition, Mr Aloul points out that cyber activists or even state-funded groups could target power operations that may even threaten national security by executing attacks to take out entire power grids.
The American technology firm, F5 Networks, says it is looking to focus more on power-sector security as more systems depend on these types of connections.
The senior systems engineering manager Gary Newe says security is a “hot” division for the company right now.
The information technology research firm Gartner expects the cyber security industry to grow 8.2 per cent this year to US$76.9 billion. And the increasing adoption of mobile, cloud, social and information that is often interconnected will drive new security measures through 2016.
“Once you start to look at user information and move it to real time metering, the possibilities of what that data could be used for are pretty much endless,” Mr Newe says.
He says with critical infrastructure such as power stations, sensitive information in the wrong hands can cause serious damage.
“If [companies] are connected to the internet or internal networks, hackers can find a way to exploit [operations],” says Mr Newe. “There is the potential for scary things to happen.”
He points to a recent attack by hackers on a German steel mill. The German federal office for Information Security (BSI) released its annual report in December that said hackers used emails to release malware, a software bug, that penetrated the mill’s automation system. The attack made parts of the plant fail, resulting in a potentially fatal furnace blast. The BSI said the infiltration caused “massive damage”, but did not specify how much the attack cost the company.
This particular crime used a method known as spear phishing; sending emails that target particular company individuals. These messages appear to come from an official source, such as the head of the company, and ask for login information including passwords.
Mr Newe says there has been a noticeable shift in the cyber criminals’ approach over the past 12 to 18 months. There has been a rise in “blended attacks” where a large attack is perpetrated to act as a diversion from a smaller, more targeted attack.
He also points to “denial of service” attacks, whereby a server is so overwhelmed with requests it goes offline. In addition is what is termed the domain name system reflection approach, where an attack is amplified by using a critical piece of internet infrastructure such as the network interface bandwidth, or data processing capacity.
This method can debilitate very large networks such as real-time trading platforms or financial institutions.
Mr Newe says F5 has seen cyber attacks rocket by 200 to 300 per cent in the past 12 months.
This has led to the European Union, among others, looking to aggressively address the issue before it is too late.
According to a July report by the Organisation for Security and Cooperation in Europe (OSCE), the EU allocated €3.5 million (Dh14.5m) to develop a decision support system (DSS) for power grid operators.
This computer system helps organisations to determine security responses based on various simulations.
The EU DSS will help grid operators mimic cyber invasions to analyse which areas could be brought down while also calculating the amount of time it would be likely to take to restore the compromised infrastructure.
The system will also assess the economic costs of an incident and provide recommendations on how to address weaknesses in Europe’s power supply. Although the system is still under construction, the potential financial losses as a result of electricity disruptions can be seen in examples such as Egypt’s chronic power shortages that reached heights last summer.
While Mr Newe says it is extremely difficult to assess how much cyber attacks are costing networks, large-scale power outages caused by other reasons can give an idea.
In September, the Suez Canal Authority was forced to declare a state of emergency as blackouts crippled vessel movement on the waterway that provides some $5bn in annual revenue. Ships were forced to remain stationary because communication networks, which depend on electricity, were unable to function. Disruptions to industries such as iron, steel and oil refineries and pumping stations cost the Egyptian government an estimated $140m in revenue.
Power grids are also susceptible to natural disasters. In the United States, Mississippi suffered a major blow to the its economy in 2005 when Hurricane Katrina destroyed the power supply for one of its main revenue earning industries, gaming.
Prior to the storm, casinos on the Mississippi Gulf Coast generated about $2.8bn in annual revenue and made up about $330m of state and local governments’ tax revenues, according to the American Gaming Association.
To get an idea of what the cost of a similar outage caused by online criminals might be, substitute “cyber attack” for Hurricane Katrina”.
Based on the revenue losses recorded for 2005, each day the casinos were unable to operate cost the industry some $7.6m, or $320,000 an hour. A power failure taking out the grid for three hours would result in a loss of almost $1m.
“Gaming, finance, power – hackers don’t discriminate. It’s across the board,” Mr Newe says.
But he is optimistic about the power sector doing everything it can to increase protection with the rise in the deployment of of smart grids because “they’re charged to protect consumer data”.
He adds that solutions usually only come after a situation has occurred. “We don’t know what the possibilities are and we don’t know the vulnerabilities,” Mr Newe says.
“It will take someone to identify the problem before we can combat it.”
Follow The National’s Business section on Twitter