How to Bolster Power Plant Security in an Age of Cyberattacks

Heidi Vella

The recent Dragonfly 2.0 attacks served the power sector yet another warning: Cybersecurity is critical. Here's how to ensure your plant doesn't fall victim to cybercrime.

In the digital era, cybersecurity is equally as important as physical power plant security, possibly even more so.

The extent of the threat posed by cyberattacks was exposed by Symantec earlier in the year when it revealed that a group known as Dragonfly 2.0 had targeted dozens of energy companies in Europe and the US, according to Reuters. The hackers successfully obtained operational access, including control of interfaces.

The worrisome revelations followed repeated attacks on the Ukrainian grid in 2015 and 2016 that caused huge power outages in the country—the first known hacker-generated blackouts.

Furthermore, due to the way power plants are now operated, an incursion on a plant's digital network could also give intruders physical access.

To help protect your plant against cyberthreats, follow these four tips.

Identify Your Risk

It can often seem very difficult to understand and identify specific cybersecurity issues that expose your network to remote attacks and then fix these issues; yet, in reality, cybersecurity is a perfectly manageable problem.

To maintain good power plant security, it is important for operators to first identify their risk by conducting cyber assessments to expose weak spots in the system.

For example, risk may lie in the legacy fleet and environment, because, while security is a design consideration in all new units, the brownfield environment is often left exposed.

Once you identify your company's risks, you can take steps to patch and secure the system.

Maintain Your Digital Operations

You already maintain the physical condition of your assets with regular assessments and inspections; you should take a similar approach to digital component maintenance.

For example, you should conduct penetration testing of the human machine interface (HMI), the system that personnel use to control all aspects of the plant, as HMIs represent particular risks for operators.

HMIs that have not been regularly patched and maintained may expose your operations to risk. In particular, it is important to know what software is running in your environment. For example, HMIs often run on Windows XP, which is no longer supported by Microsoft. If the system has not been regularly patched and maintained, this can create vulnerabilities. Cyberattacks that aim to introduce malware are greatly dependent on the environment having weak spots.

To shore up your network, experts at MIT suggest upgrading and maintaining regular patches to the system. Furthermore, it can help to create a roadmap to tackle issues in order of their risk level.

This is an example of how an operator can take a very achievable step and have a very high impact on reducing their exposure to cyber-risk.

Train Staff to Be Vigilant

As Power Technology reports, to successfully infect targeted computers in Europe and the US, the Dragonfly group first launched an email spear-phishing campaign that selectively targeted executives and persons of interest with emails titled: "The account" or "Settlement of delivery problem." These emails "contained a malicious PDF attachment that, when opened, would infect the computer with the malware," says the report.

The hackers then executed a "watering hole" attack, placing malicious links on legitimate websites popular with energy sector workers. "Once clicked," Power Technology continues, "the links would divert the users to a seemingly legitimate, but in fact malicious, site and instigate a download of the malware to the machine."

The attack showed the weaknesses that exist within the power sector's IT infrastructure—that a simple email was enough to infect an entire system—but it also highlighted the need for adequate staff training and vigilance to identify malicious and bogus links and attachments.

Training personnel in cybersecurity best practices is often underemphasized in the power sector. However, simple awareness exercises, such as teaching staff to scrutinize emails, especially ones that request financial transactions or contain attachments from unknown senders, can significantly reduce risk. Plant managers should teach employees that, if an email looks suspicious or is asking about something they are not already privy to, following up with a quick phone call to validate the email request should be routine.

Training exercises for power plant personnel could include sporadically sending out suspicious-looking, but ultimately harmless phishing emails to test employees' reactions. Those who get caught by the fake phishing email may benefit from additional cybersecurity training and workshops.

Shut Down Attacks

Operators may realize their systems have been breached in a number of ways, according to Computer Weekly, "from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild."

If an operator finds that an HMI host has been breached with malware, it is important to have a backup and recovery process in place. This usually involves restoring the system from a known backup point, wiping out the host, and reimaging it.

For attack response, it can be useful to partner with a managed security adviser who can help identify the details of an attack, manage the response, conduct forensics, and provide an ongoing action plan to remediate the system. Plant managers may also need to notify relevant government officials, depending on the assets' location, as each region has its own standards and practices.

Lastly, it is crucial to know how to respond to the incident publicly. It's a best practice to have a communications plan in place prior to any attack, so there are few delays in responding publicly to the event.

Delays in informing the public or government officials can lead to widespread criticism and permanently damage a company's reputation.

Being quick to respond to a cybersecurity breach is important, especially if customers are directly affected. Plant managers should consider setting up an information hotline or website to keep customers informed in the event of a breach.

Awareness is growing in the power sector of the immense security risk posed by cybercriminals, especially after the remotely induced blackouts in Ukraine, which highlighted that critical infrastructure is an achievable target for hackers. As guardians of critical infrastructure, power plant operators and managers must take proactive steps to mitigate cyberthreats to preserve their company's operation and reputation. Fortunately, doing so is perfectly possible with a thorough and methodical approach.

RELATED ARTICLES

The next generation of utility leaders has book smarts, but needs training to make up for a lack of practical experience. Here are some ways to bring them up to speed.

Adverse public opinion can have a major impact on plant managers and developers. However, the resulting challenges can be addressed and even averted with a proactive communications strategy.

Electric utilities around the world face daunting regulatory and policy challenges.