“Although you cross the Atlantic for years and have ice reported and never see it, at other times it’s not reported and you do see it.” – Charles Lightoller, Titanic Second Officer (speaking at the public inquiry into the sinking)
In one of my recent lectures on “The cybersecurity dimension of critical energy infrastructure” I include a slide called: “Does industry understand how vulnerable their infrastructure is and how it can be targeted?” In my lecture I tell my audience that the answer is “no”. Yesterday I received another confirmation to support my evaluation. I attended a lecture at the Lithuanian Academy of Science given by a high official of our energy industry on the theme “Lietuvos energetikos politika ir ekonomika” (Lithuanian energy policy and economy) (1). It was an impressive lecture on the current status of our electricity, municipal co-generation (heating and electricity) and gas sectors. The strong points, weak points, and prospects for the future were described for each sector and exhibited on slides for the audience to follow along. What most attracted my attention was the 4th bullet list on “Grėsmes” (Threats) and the imperfect way they were being presented. Threats to these sectors for example were presented as delayed decision making based on poor cost-benefit analysis, poor regulation and possible corruption from activities of small interest groups, the negative affect on the gas market from decisions made by a major gas customer and over investment in infrastructure and uncompetitive methods of energy production. Later there was a list of priorities and one of them was listed as “Innovation and digitalization”.
Missing throughout the presentation on threats and priorities in the energy sector was any mention of problem with dealing with the new vulnerabilities introduced together with the innovation and digitalization of the control systems used in the energy sectors. In the Q & A after the presentation I asked why there was no mention of the threats coming from cyberspace. Was he aware that together with the benefits of innovation and digitalization new vulnerabilities came with them? They also have a dark side and the consequences need to be considered. As an example of the kind of threats being faced today in the industry I briefly recounted the cyber-attack that took place against the control systems of part of the Ukrainian power grid last December ( 2 ) . Cyber intruders succeeded in obtaining access to the operators’ control network and were able to open breakers at over 30 substations putting a ¼ of a million people in darkness just before Christmas. I asked, shouldn’t the technological threat and consequences also be added to his slides on threats? I gave another example of the Lloyds of London and Cambridge University study of the insurance implications of a cyber-attack on the U.S. Electric Grid (3). A successful cyber-attack that results in disconnecting 50 substations could lead up to 1 trillion dollars in damages? While I was asking these questions I could hear murmurings in the audience and a wry smile began to appear on the energy officials’ face. He replied that yes, his people were aware and were doing a great deal of work behind the scenes (which he chose not to describe in any more detail). These efforts are not publicized and it was not mentioned in the presentation because the main focus of the presentation was on the energy market.
After the conference closed I went up to the speaker and asked one more question. Had he heard of “Aurora”? Not the one about Google and China but about the experiment performed on a generator at Idaho National Labs (4). I also suggested he ask his specialists if they have heard of the Aurora Vulnerability. The inspiration for the malware used in the Lloyds-Cambridge study came in part from Aurora (5). I also suggested that to understand this vulnerability his specialists need to understand security as applied to not only IT but more importantly, industrial control systems. The reply was that he was sure that his people did understand. I was not convinced for I think it was pretty clear he had never heard about Aurora before. He also reinforced his position that his systems were safe as they were fully isolated and there was no cyber threat from the outside. I decided at this point to stop pressing him and left him with a thought that the idea that systems are not connected to the Internet is a myth. Operators have been surprised to find that a device was connected somewhere that should not have been. The systems are connected to other systems in a complex hard to comprehend web of connectivity.
I left the hall thinking that perhaps I should have just stayed silent. It is not an easy thing to stand up and draw attention to cyber issues in a crowded auditorium where technology is being discussed and security is left out. It is amazing how industry, in spite of the wake-up calls, seems to underestimate the possibility of a cyber incident or attack on their operations. Standing behind a wall of “we are doing something but we can’t tell you right now” or “our systems are isolated from the Internet” is not going to do much to develop an accurate understanding of the problem and finding an appropriate solution. Until the efforts are joined by others in the community of interest the aggressors will remain more organized and several steps ahead of those trying to defend critical systems – to the surprise of operators and their customers.