Protecting Power: Cyber Threats to Energy Infrastructure

Cybersecurity threats to physical infrastructure are evolving rapidly in a deteriorating global operating environment characterized by increasing nation-state conflicts, organized cybercrime, and extremist groups targeting critical infrastructure for asymmetric advantage. This is particularly true for the energy sector, a national critical function as designated by the Cybersecurity and Infrastructure Security Agency (CISA). As a result, an increasing number of regulations are levied to improve cybersecurity, given the high number of possible attack vectors and entities seeking to exploit them.

Several of the energy sector’s key characteristics make it particularly vulnerable to cyber attacks with physical consequences. Decentralized infrastructure, the use of digitally connected and remote industrial controls, the burden of legacy software and hardware, and a shortage of cybersecurity talent in the field complicate the challenge. Already threatened by the destructive forces of climate change, extensive regulation, and the high costs of investment in the energy transition to renewables, the imperative to improve cybersecurity constitutes yet another competing priority for the energy sector, which cannot be ignored.

Energy Sector as a Geopolitical Target

Energy infrastructure presents an alluring target to attackers who wish to degrade, disrupt, and destroy a variety of downstream capabilities across a range of other sectors, such as water treatment plants, medical facilities, financial institutions, and telecommunications. The US energy sector is therefore a key target of adversarial nations such as China, Russia, Iran, and North Korea, seeking to create a competitive advantage and weaken a country without crossing a red line - or at least, maintaining plausible deniability. 

Cyber and physical attacks against power infrastructure and electrical substations in the United States and around the world are at multi-year highs, and attackers are honing their skills in conflicts abroad. Past incidents disabled remote control systems for wind farms, took down billing and payment portals and interrupted meter access.

Targeting of energy infrastructure through kinetic and cyber attacks is a key feature of the Russo-Ukrainian war. In December 2015, a cyber attack attributed to Russian cyber actors disrupted energy grid operations, leaving more than 225,000 customers in the dark during the difficult winter months. Since the February 2022 invasion, energy facilities like the Zaporizhzhia Nuclear Power Plant continue to be attacked regularly, creating the potential for a far-reaching disaster. Energy infrastructure half a world away from the battlefield is continuously targeted, including in the US, as the war continues.

As global volatility surges, existing regional wars risk expanding, and the chances of possible new conflicts grow in places like Taiwan, the energy sector should expect increased attacks and plan accordingly.

Trends in Cyber Attacks Against Infrastructure

There are several troubling trends in the way cyber attackers threaten infrastructure targets. Extremist groups, state-sponsored or state-directed advanced persistent threat (APT) actors, and others have attacked smaller city power grids, water treatment facilities, and medical institutions.

Attackers know that limited funding available to smaller entities often means lower levels of security and widespread use of outdated, unpatched software and unsecured devices, which are more easily penetrated. Poorly secured vendors and other third parties with high-level digital access - or physical presence - within energy infrastructure systems are also major vulnerabilities.

In addition to geopolitical drivers, a primary motivation is financial gain. Ransomware attacks that exploit known vulnerabilities are rising despite years of warnings to patch software and maintain secure backups. Those entities that fall victim to ransomware attacks are often double or triple extorted, meaning that even those who pay ransoms find their data is not unlocked upon payment or proprietary data is released publicly. In addition, denial of service attacks may leave systems inaccessible for long periods, something energy infrastructure operators can ill afford.

Part of the problem is that many organizations still do not prioritize their cyber supply chains. Securing the programs, networks, services, and systems that an organization relies on to operate is of the utmost priority in the current elevated-risk environment, and this is as critical against outside attackers as insider threats. The US and other governments are also working to implement standards such as software bills of materials so customers know what is in their software the same way they see the components in their hardware to aid in this work. 

As cyber defenses improve, attackers are constantly innovating. Disclosed cybersecurity incidents should not distract from a more troubling trend—those looking to target energy infrastructure for competitive advantage are playing a long game, penetrating systems but not actively attacking to hide their intrusions. Many attackers with motivations other than a quick ransom payout lurk in systems, sometimes for years, biding their time until the most advantageous moment to cause the most chaos.

This tactic requires constant active monitoring and scanning of systems, which itself requires constant active prioritization and investment. Yet, despite its criticality, the energy sector still lags behind finance and other sectors in attracting and retaining cybersecurity talent.

Data Collateralization

Securing proprietary data is critical and costly as regulators, investors, and banks increasingly scrutinize cybersecurity as a condition of financing. Given the rise of data collateralization, it is also crucial for every organization’s future. Companies are increasingly finding they can use the valuable, long-term data they hold as collateral to secure loans and other financing to make major investments and innovate. But to be valuable, the data must be well secured; often, it is not.

Increasingly, companies whose proprietary data is compromised find themselves spending over a month to recover from major cyber incidents, creating massive internal disruptions, causing delayed invoicing and payments, running up exorbitant remediation costs, and affecting their ability to secure future funding.

The Delta-Montrose Electric Association (DMEA) cyber attack in November 2022 is a cautionary tale. It brought down 90 percent of the Colorado Electric Cooperative’s internal controls, disrupted operations for over a month, and targeted 25 years of historical data. The cascading incident, which started in the corporate network and spread to internal controls, payment systems, and customer account access, is a scenario all energy infrastructure operators should be prepared for and actively working to prevent. Maintaining secure, restorable data backups should be a primary priority for all.

Artificial Intelligence

The increasing ubiquity of artificial intelligence will also cause disruption as the energy sector pilots the usage of AI capabilities to predict demand, shift resources, and better analyze the data from the many sensors embedded in energy infrastructure.

The integration of AI capabilities risks opening new attack vectors. It is vital to understand what vulnerabilities an organization might be introducing into its systems and have a plan to secure them - before deployment. Cyber attackers will also use AI for their ends, increasing the size, scope, and speed of their penetrations and exploits.

From Passive Risk Transfer to Active Risk Mitigation

While reliance on risk transfer mechanisms like insurance was adequate in the past, the deeply complex interconnectedness of cyber and physical infrastructure requires active risk management and mitigation. Too often, cybersecurity is still seen as a cost center instead of a critical function to be actively prioritized beyond separate IT and physical security silos. Too many organizations remain passive.

To meet the challenge of growing cyber threats against the energy sector, boards and leadership must be proactive. They should drive investments in personnel, systems, and processes and prioritize actively preparing for a range of possible future scenarios. For example, attackers are likely to exploit the chaotic period following a major natural disaster, any period of political significance, such as US elections, and moments of reorganization, such as mergers and acquisitions.

Vendors and third-party software providers must be assessed to understand their level of cyber security and ability to remediate incidents quickly. Business continuity and resilience plans should be regularly updated to account for a range of possible cyberattack scenarios. The plans should be practiced via tabletop exercises to ensure that any gaps are identified and addressed and personnel are familiar with them. Operators of energy infrastructure must be well-versed in both the details of their own infrastructure supply chains and the evolving space of government regulations, including new cyber incident reporting requirements. They must also know who to call in the event of an incident to ensure it is properly reported and remediated.   

As the responsibility for cybersecurity increasingly lies within the fiduciary duties of company leadership and board members, opening them to personal liability and lawsuits if they fail to secure their organizations adequately, proper preparation is especially critical. Is your company or organization prepared? Could you handle a ransomware attack or a prolonged denial of service attack? Do you have visibility into your cyber supply chain? How secure is it? How will integrating AI change your organization’s risk profile? The time to answer these questions is now for a more secure tomorrow.