Topic of the month September 2012

 

Danger from the internet: Cyber attacks on energy grids

Luckily so far no critical energy infrastructure installations like electricity supply, gas and oil networks, coal-fired and nuclear power stations or regenerative energy operations have been damaged by computer attacks. However, energy grid operators see the risk of digital attack as a growing problem. According to Klaus-Dieter Fritsche, State Secretary of the German Federal Ministry of the Interior, Internet crime has been rising for years now – and this is not just limited to the stealing of data. “Security agencies are seeing an increasing number of cyber-attacks aimed at espionage and sabotage with political and strategic motivations.”

There have in fact already been some sensational cases where industrial control systems were subject to targeted attack and sabotage with the help of computer viruses. Two years ago IT security experts were alarmed when the Stutnex worm infected Iranian nuclear installations despite the fact that these were subject to strict security and not connected to the Internet. Here the highly developed virus – thought to have been brought in on a USB stick – damaged the Siemens industrial control system responsible for monitoring and controlling technical processes.



(Photo: www.enviaM.de)

“Stuxnet revealed the security problems of industrial control systems,” explains Udo Helmbrecht, Managing Director of the European Network and Information Security Agency (ENISA). In a study the EU security agency showed that a great deal more needs to be done with industrial installations of all relevant interest groups. The Stuxnet attack – where the centrifuges of the uranium enrichment facility were taken out of action delaying the Iranian nuclear programme – impressively showed how damaging an attack of this kind can be. According to New York Times reporter David E. Sanger, the US government was behind the attack – and this could have heralded in a new kind of warfare.

In future, terrorists could also hit upon the idea of employing criminal hackers to attack neuralgic points in networks. Scientists commissioned by enemy nations could also develop viruses based on the now freely available Stuxnet code. Attacks previously carried out show the danger potential here. In the US last year arms manufacturer Lockheed Martin was the target of a cyber-attack, as were the International Monetary Fund and the US Senate. Even the website of the CIA, the USA’s secret service, is said to have crashed at the hands of the hacker group LulzSec.

Security has now become a real competitive advantage. To better protect themselves against Internet attack many companies are strengthening their firewalls and are investing in technology and their IT departments. For instance, after the Stuxnet attack on Siemens control electronics the Siemens Group announced it was doubling its security team. As electronic intelligence today controls all processes in energy grids, all levels are also potentially at risk, from the generators in power plants through to the transformers. Detailed specialist knowledge is therefore in particularly high demand – also due to the increased networking between technologies.



(Photo: www.enviaM.de)

Many companies are now taking on external IT consultants, for instance to give them a better understanding of the threat scenarios for their IT-controlled production and power distribution centres so as to be able to develop solutions. One of the suppliers of this kind of service is SySS GmbH that carries out penetration tests and demonstrates specific danger scenarios in a live hacker attack. “The key point here is not the use of technologies,” says Stefan Arbeiter at SySS. “Security technologies and methods for the building of safe networks have existed for years now but they curiously seem unable to prevent attacks.” All tools require the right staff as security products do not work autonomously and are not able to independently recognise and report threats.

NATO is trying to protect itself with a Cyber Security Centre in Tallinn in Estonia, the EU is coordinated via the ENISA and in Germany in 2009 the cabinet passed the National Strategy for Critical Infrastructure Protection (Nationale Strategie zum Schutz kritischer Infrastrukturen – KRITIS) which also explicitly mentions safeguarding household power supply. “The increasing use of modern techniques by (potential) terrorists in combination with social dependencies on reliable infrastructures makes on-going measures for the protection of critical infrastructures from terrorist attack necessary,” states the KRITIS strategy. However, what is also clear is that there cannot be a 100% protection of the infrastructures, neither by the state nor by the operators. “Our former concept of security must be transformed into a new “culture of risk”. What this ultimately means is that 100% protection against attack from the Internet can no longer exist.

To ensure as great as possible protection ENISA specifically demands increased cooperation, knowledge exchange and mutual understanding between all involved interest groups. It recommends forming national and pan-European strategies for the security of industrial control systems, compiling a handbook for proven security practices and introducing joint tests to gauge response capabilities in the event of computer emergencies.

A particular focus at ENISA is on smart power grids as these present electricity grids with new challenges in terms of information security. Since 2010 new buildings must feature smart power metres that can feed renewable energies into the supply grid in a decentralised manner. However, data security for these devices has become the target of criticism: some experts fear that smart metres are vulnerable and that hackers could use them to paralyse the entire power grid because these devices provide access to that grid. Although the data is encoded in a test US researchers were able to access the system in just two days. This meant they were in a position to unbalance generators, switch off power lines and create overloads – right through to bringing an entire network down.

Links and further information::

- KRITIS National Strategy for Critical Infrastructure Protection (German)
- ENISA Europe, Analysis of cyber security legislation (English)
- ENISA Europe, Cyber Incident Reporting in the EU (English)
- ENISA Europe On Stuxnet
- ENISA Europe On Smart Grids





Next month's topic:

Brazil's Economy – Hope for domestic demand

High expectations have been slowed down, but wire and pipe industry have considerable potential.