Posted on

Cybersecurity and Cyber Crime in the Energy and Utilities Industry

 

On the front lines of cyber security imperatives and OT/IT concerns are the world’s energy industry companies and utilities.  Energy-related companies and utilities in each sector – electricity, gas and oil and water communities face serious cyber challenges on a routine but persistent basis throughout production, transmission and distribution activities.  Because these communities and the infrastructure they represent are so vital to modern civilization, they are most often targets for bad actors, whether the bad actors are rogue nation-states, criminal groups or hacktivists.

Added to the attractiveness of these infrastructure industry segments for cybercriminals is the ever-growing attack surface that is a result of two things: rapid deployment of field automation, extending the purview of operational control systems to distribution beyond traditional “fences” using less secure wireless communications methods, compared with wire-line approaches to data communications.  As the world modernizes and automates its infrastructure delivery methods, it does so while cyber security standards, checks and balances lag and while regulatory oversight sometimes languishes.

It seems the faster we move toward full-scale automation, the “behinder” we are with cyber-physical security implementations.  Cybercrime reporting is still in its infancy relative to the level of cybercrime events.  Cyber-criminal law needs to be strengthened and severe penalties enacted on a global basis so that strong deterrents will work effectively in the future.

The economic costs associated with cybercrime continue to increase dramatically with each passing year.  The IMF and the U.S. FBI have estimated the 2022 impact of cybercrime around the world stood at an astounding 8.44 trillion USD.  As if that wasn’t bad enough, the outlook is for that amount to nearly triple by 2027, to 23.82 trillion USD.  The World Bank report for 2022 indicated a global GDP value of nearly 101 trillion US dollars.  With more than 8 trillion US dollars estimated to have been lost to cybercrime, this unfortunately has a dampening effect on global economic growth.  The losses of the world economy to cybercrime have the effect of lowering global GDP (1) value by several percent, according to Newton-Evans Research Company, which has been including cyber-security related questions in its industry surveys for nearly 30 years.  Newton-Evans has also served as a lead international survey partner for several CIGRE working groups for the past 15 years   Click on Figure 1 below for chart expansion of frequently used range estimates of dollar losses to cybercrime.

In 2018, the World Economic Forum’s (WEF)  Centre for Cybersecurity launched the Systems of Cyber Resilience: Electricity initiative. This groundbreaking effort helped bolster the cyber resilience of the global electricity infrastructure by bringing together leaders from over 60 businesses, governments, civil society, and academia. The objective was to develop a comprehensive cybersecurity vision to protect the power infrastructure.

During 2023, the WEF’s Centre for Cybersecurity and 11 founding members (2) comprised of electrical equipment manufacturers, systems integrators, cybersecurity firms and utilities launched a new iteration of the initiative known as Systems of Cyber Resilience: Electricity.  The objective of this new program is to establish “. . . an independent multi-stakeholder community that will continue to collaborate and take collective action.  The community will serve as a global exchange platform for cybersecurity leaders in the electric sector.”

The WEF initiative for the electricity sector has already resulted in the publication of three sector-relevant white papers.  These are:  Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards; Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers; and Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain.

In one estimate prepared by Accenture, the estimated combined foregone revenue losses shared among utilities and other energy companies over the five-year period 2019-2023 was forecasted to be more than $400 million USD.

Now for the role of telecommunications in the mix.  The ITU (International Telecommunications Union) is the UN agency charged with responsibility to “…maintain and extend international cooperation among all the Member States of the Union for the improvement and rational use of telecommunications of all kinds.”  The ITU promotes the shared global use of the radio spectrum, facilitates international cooperation in assigning satellite orbits, assists in developing and coordinating worldwide technical standards, and works to improve telecommunication infrastructure in the developing world.

A fundamental role of ITU, based on the guidance of the World Summit on the Information Society (WSIS) and the ITU Plenipotentiary Conference, is to build confidence and security in the use of Information and Communication Technologies (ICTs).  Back in 2007, the ITU launched the Global Cybersecurity Agenda (GCA), as a framework for international cooperation in this area.

Private Sector Reporting on Cybercrime:

McAfee and the Center for Strategic and International Studies (CSIS) released a well-researched 2018 white paper entitled “Economic Impact of Cybercrime – No Slowing Down.” (3)  This 23-page report is full of still-pertinent information on the pervasive effects of cybercrime.

The report identified some of the hidden costs from the aftereffects of cybercrime including loss of intellectual property and confidential business information; online fraud and financial crimes, financial manipulation, opportunity costs, and reputational damage.

The report recommended uniform implementation of basic security measures, including regular updates and patches, and open security architectures; discussed the need for increased international law enforcement cooperation; expressed improving or replacing existing processes such as the Mutual Legal Assistance Treaty, which allows one government to request the help of another in investigating cyber crime or obtaining evidence.

In late 2018, Deloitte, The UK-headquartered global professional services firm, published a white paper entitled “Managing Cyber Risk in the Electric Power Sector. “ (4)   The Deloitte report pertains to the global electric power community, though the chart referenced  in the article was developed from available US information.  In the figure provided in the article, one can note the relative importance placed on various threat actors and their business and operational impact from key types of cybercrime activities.

While criminal gangs are most likely to cause financial loss and theft of customer data, rogue nation-states are more likely to focus their efforts on destruction of infrastructure as well as theft of customer data.

In late 2020, McKinsey & Company also wrote about the threat of cybercrime against the energy industry and provided approaches to addressing vulnerabilities peculiar to energy infrastructure.  In the McKinsey article, the authors defined four levels of security zones for a power-generation plant, and discussed how utilities can set up a best-practice approach to cyber security. (5)

In 2022, Accenture published a paper on cybersecurity for utilities. (6)  In the paper, the company’s authors reported having observed three characteristics that make utilities especially vulnerable to cyber threats.

  • increased numbers of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cyber criminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas.
  • The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership.
  • The electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.

This year, the U.S. Securities and Exchange Commission has enacted Code of Federal Regulations (CFR)  Rule #17, which stipulates that publicly traded companies must report cyber security incidents and must provide some information about their cyber security methods and procedures.  The ruling is mandated to come into effect mid-year 2024.  This ruling will affect all investor-owned electric, gas and water utilities as well as other publicly traded energy industry companies. Here is a section of the ruling:

The Securities and Exchange Commission (“Commission”) is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy,governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risk.. (7)

In summary, there is no shortage of good information available on measures that, taken together, may enable utilities and the energy industry in general, to form a more robust and increasingly resilient defense against pervasive cyber threats and cybercrime.  When I review where the industry stands today, and compare it to the millennial year, however, what appears to be worrisome is a perception that we are not yet always including cybersecurity and cyber defense at the top of the concerns when initiating new and further afield methods of grid and pipeline monitoring and control.  This gap can be significantly narrowed if we place cyber expertise, supply chain component knowledge and software bills of material on a strategic planning level within our utilities, other energy firms and commercial/industrial entities supporting the utility/other energy communities. The SEC ruling will mean advances in cyber reporting, but that still leaves similar reporting yet-to-be-required in such a manner among public utilities, cooperatives and privately-held energy companies.  Click on Figure 2 to expand for a view of Newton-Evans’ perception of the growing gap between energy industry attack vectors and cyber defense capabilities.  With strong efforts from both the public and private sectors around the world, this gap can be narrowed significantly in the coming years.

On October 23, 2023, Interpol released information about the take-down of a notorious cyber-criminal gang – Ragnar Locker Ransomware group, headquartered in Western Europe.  This criminal organization had targeted critical infrastructure over the years.  A detailed write-up can be found here:  https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop.  Hopefully this will be but one of many take-downs of cyber criminal organizations in the months and years ahead.

During 2024, be on the lookout for CIGRE WG D.54’s (Regulatory Approaches to Enhance EPUs Cybersecurity Frameworks) scheduled publication of a technical brochure that includes findings from surveys of electric power utility (EPU) officials involved with cybersecurity from nearly 40 countries and another survey of national regulators and their roles in ensuring cyber security within their country’s borders and sharing with the international community.  This CIGRE working group has had the benefit of cooperation from delegates and survey participants located in North and South America, Western, Central and Eastern Europe, Africa and Asia.

End-notes:

  1. According to the World Bank, the global GDP reached 100.56 trillion US dollars in 2022. See https://data.worldbank.org/indicator/NY.GDP.MKTP.CD .
  2. The 11 founding members include Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern Company and Vestas.
  3. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf
  4. See https://www2.deloitte.com/content/dam/insights/us/articles/4921_Managing-cyber-risk-Electric-energy/DI_Managing-cyber-risk.pdf .
  5. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-energy-sector-threat-how-to-address-cybersecurity-vulnerabilities
  6. https://www.accenture.com/content/dam/accenture/final/a-com-migration/pdf/pdf-177/accenture-cybersecurtiy-for-connected-energy-ecosystems.pdf#zoom=40
  7. https://www.sec.gov/files/rules/final/2023/33-11216.pdf