Energy Sector

Security challenges facing the energy sector

  • The backbone of Denmark – and the rest of Europe as well

  • The threat of cyber-crime against the Danish energy sector is very high

  • Many different types of criminal cyber-attacks threaten the energy sector

  • One size does not fit all – energy components have no time for standard security considerations

  • Potential repercussions are significant

  • The danger to society

 

 

The backbone of Denmark – and the rest of Europe as well

Without electricity, we cannot fill our cars with fuel, withdraw money, and use our credit cards or our mobile phones. The energy system is here to provide these basic services, and it is one of the most complex and largest infrastructures in Europe and is the backbone of its economy.

This energy infrastructure has been undergoing very rapid changes in recent years in order to increase the share of renewable energy sources such as wind and sun, which are by nature more distributed and variable. Managing the networks to ensure a permanent match between consumption and production requires a continuously increasing degree of digitalization. This increasing digitalization has made the energy system smarter and now enables consumers to benefit more from innovative energy services. However, with an increasingly digitized energy system, and more and more home appliances connected to the grid, cyber-security has become of paramount importance and concern for all, with an increasing number of incidents in recent times.

 

The threat of cyber-crime against the Danish energy sector is very high

The threat of cyber-crime against the Danish energy sector is very high. Cyber-crime aimed at disrupting IT networks and IT infrastructure could, at worst, threaten the energy supply.

Companies in the Danish energy sector have been exposed to Business Email Compromise scams (BEC), in which criminals have impersonated in-house executives to trick company employees into wiring funds to the criminals’ accounts. This was the case when, in May 2018, Energinet was targeted in an attempted BEC scam in connection with the appointment of a new CEO. Criminals impersonated the new CEO, but fortunately, vigilant Energinet employees and best practices foiled the attack.

Even though no IT systems were compromised during this attack, it still reflects the threat posed by fraudulent emails and misuse of company and personal information. Should cyber-criminals launch attacks via compromised company email accounts, it would make it all the more difficult for the company to detect the attack in time.

 

Many different types of criminal cyber-attacks threaten the energy sector

  • Ransomware attacks 

Like many other types of malware, ransomware is typically spread via phishing emails or infected websites visited by the victim. Ransomware attacks render the victim’s data or systems inaccessible, and a ransom is demanded in exchange for restoring access to the data. There are many different types of ransomware. Sophisticated ransomware attacks typically target administrative networks in specific private companies and public authorities.

  • Infection with other types of malware 

Cyber-criminals frequently distribute other types of malware that could be used to steal personal and financial information that is subsequently sold to third parties or exploited by the criminals. Cryptocurrency mining malware is a new type of malware that is used to tap into the computing power of victim devices to mine cryptocurrencies.

  • Targeted extortion 

A new trend has emerged among cyber-criminals that involve groups specializing in stealing sensitive company and client information for extortion purposes. Threats of launching DDoS attacks via the Internet are also used as a means of extortion. Cyber-criminals often demand very large sums of money from their victims.

  • Scams 

So-called Business Email Compromise scams (BEC) are aimed at tricking companies and organizations into wiring funds by sending fraudulent emails requesting wire transfers. Cyber-criminals impersonate an in-house executive (often the CEO); hence the often-used name CEO fraud.

 

One size does not fit all – energy components have no time for standard security considerations

In cybersecurity, one size does not fit all. What might work in the IT sector will not be necessarily adequate in the energy sector. For example, there are energy components such as circuit breakers that need to react so fast that they have no time for standard security considerations, like authenticating a command or encrypting a connection. This makes the new digitized energy grid vulnerable to attacks.

 

Potential repercussions are significant

While data breaches are prevalent, the subject of cyber-security in the energy sector should be of perhaps greater concern. Over the last couple of years, attacks on critical infrastructure have surged, and the potential repercussions are significant. A loss of data is concerning, but a loss of electricity and water is catastrophic to both business and society.

 

The danger to society

Power grids are fast becoming digital jungles. As with any other industry, new technology innovations – like IoT sensors, smart meters, and integrated cloud services – are being integrated with legacy hardware and software. Whilst this is enhancing efficiency and customer experience, cyber-criminals are increasingly targeting these innovations to undermine their benefits.

The utility industry and energy industry, in general, have a massive societal impact. And when impacts on service delivery are incurred, it can have a massive and immediate negative effect on the population of a region.

Sources:

European Commission  I  Centre for Cyber Security (Forsvarets Efterretningstjeneste)  I  Information Age