Lights can go out: Espionage & disruption in the energy sector (5/5)

Nowadays, many companies dealing with critical infrastructure are transforming their IT-infrastructures to take advantage of the benefits of digitalization and in particular trends such as connected OT, IoT (smart everything), and decentralization. The speed of this transformation will only increase in the coming years. Although digitalizing critical infrastructures arguably provides many benefits, such as increased efficiency and reduced costs, it also creates a much larger attack surface for disruptive cyberattacks. Downtime of such critical infrastructure is already increasing, having potentially disruptive consequences on a societal level. What if nobody could make financial transactions anymore because all the payment systems are down? Or what if communication networks were down and you cannot call any emergency services? Or the power supply is disrupted for a prolonged period of time? Not coincidentally, critical infrastructures sit on top when it comes to the (potential) impact of disruptive cyberattacks and are therefore high-profile targets for a multitude of threat actors. Whether it is a politically motivated nation-state actor that uses disruptive cyberattacks as a mode of deterrence or retaliation, or whether it is a financially motivated threat actor that wants to create extra incentives to make its target pay ransom.

The energy industry is an essential part of the critical infrastructure and will be the focus of this blogpost. What makes the energy sector particularly vulnerable to such disruptive attacks? What could be the consequences of a disruptive attack in the energy industry? What role do geopolitics play? We will discuss this in the remaining part of this blogpost.

A target for cyber-attacks

There are two factors that make the energy industry particularly vulnerable to disruption: the large supply chain and increased IT-OT integrations. Operations in the energy industry are increasingly integrated for efficiency purposes. The downside of this integration is that it also creates greater interdependencies, therewith increasing the attack surface of the industry. In other words, disruption in one part of the supply chain can case a ripple effect on other parts of the chain. In May 2021 for example, American pipeline operator Colonial Pipeline became victim of a ransomware-attack. As a result, Colonial Pipeline decided to fully shut down operations in order to contain the threat. Although operations resumed a couple of days later, there were already gasoline shortages, with many empty filling stations and impacted flight schedules at multiple airports. This example illustrates how disruption in one pipeline operator can lead to far-reaching physical consequences in other parts of the energy supply-chain.

The energy industry has not always been a prime target for cyberattacks. Originally, the industry consisted mostly out of mechanical or analogue equipment, segregated from networks and the internet. OT systems are notorious for running outdated legacy software. Today, however, such systems are increasingly integrated with internal networks and even directly with the internet for its ease to fulfill remote maintenance tasks. At this point, many energy companies have started to use Industrial Control Systems (ICS), which are more publicly available and less expensive than proprietary systems. Although this sounds like – and probably was – a logical choice for many companies, the fact that these ICS solutions are coupled with IT-networks, and therefore have much more public facing, have led to more malware being available to target precisely these ICS. Moreover, OT systems were never designed to be connected to the internet, resulting in a disregard for any cybersecurity features. Especially Supervisory Control And Data Acquisition systems (SCADA) are an interesting target for disruptive attacks. In the energy industry, SCADA systems are used in oil and gas pipelines, but also in the electrical grid for transmission and distribution. If one would get access to such systems, operations could be disturbed or shut down, preventing the production or distribution of energy resources.

Hence, the energy industry is vulnerable to disruption. By attacking ICS, the production and distribution of energy can be compromised. Together with strong interdependencies in the supply chain, attacks on the energy industry can have far-reaching and physical consequences, whether being gas shortages, irreversible damage to production systems or even complete electricity outages.

Now knowing that the energy industry is vulnerable to disruption, the question arises: what do threat actors seek to achieve by launching disruptive cyber-attacks? For financially motivated actors, the disruptive impact of a ransomware attack on the energy industry makes sure that their victims are under the highest amount of pressure to pay the imposed ransom. For nation-states, however, the motivation lies in the geopolitical impact disruption could have, as is discussed below.

Geopolitical impact of disruption

At the end of World War two, the world was shocked by a weapon that had no equal. The obliterating power released by nuclear fission, a new technology, changed how the world looked at warfare forever. Cyberspace has offered a new weapon that is at the other end of the spectrum as it is stealthy and sly of nature but could have devastating consequences when used correctly. Through the use of offensive cyber-tactics on critical infrastructure, nations can completely blind and disable their adversaries. In the event of an imminent invasion or just as a warning, the cyber-threat is ever so real. The industry where the impact of such an attack would have the most impact, is the energy industry, as it quite literally provides the fuel for all other industries.

Nation-states with malicious intent are seeking for ways to infiltrate the critical infrastructure of their adversaries, building up a powerful leverage position if they ever came to need it. There have been examples of nation-states already exploiting the leverage position they built. In 2015, Russian hackers killed the lights in parts of Ukraine, and in 2018 in India, Chinese hackers, allegedly attacked the power grid of Mumbai. The first operation can be seen as another move in the ongoing Russian-Ukrainian conflict, the latter as one in the Chinese-Indian border conflict. Arguably, the most notorious example of all has come from the West. In June 2010, a computer worm called Stuxnet spread itself through the computer systems of a uranium enrichment plant in Iran. The level of sophistication of the worm was – and might still be – unprecedented. Stuxnet made the plant’s centrifuges spin out of control, while the data the control systems communicated back to the stunned nuclear scientist didn’t show anything out of the ordinary. The inflicted damage meant a set-back of years for the Iranian nuclear program. The highly advanced cyber-attack was never officially claimed, but the greatest suspicion rests on the US and Israel. These are not only countries that are among the strongest opposers of Iranian nuclear weapons, but they are also the only ones capable – then and arguably now – of engineering such an advanced cyber-attacks¹.

These are only two examples of the use of cyber-disruption as an expansion of countries’ arsenals in modern warfare. Over the past years, concern over the state of defense of Western critical infrastructure, such as the energy industry, has grown. International relations between the world’s superpowers are tensing up and it is not unlikely that China, Russia and the US will flex their offensive cyber muscles. A contemporary conflict this trend is more than apparent in, can be found in Taiwan, which sovereignty is contested by its big brother, China. The small Eastern Island is already enduring a dazzling 20 to 40 million cyberattacks per month. These attacks mostly originate from mainland China and go way beyond just interfering with Taiwanese military activities – China is aiming to undermine their entire society².

"The operation of our government highly relies on the internet. Our critical infrastructure, such as gas, water and electricity are highly digitized, so we can easily fall victim if our network security is not robust enough."

Chien Hung-wei, head of Taiwan's Department of Cyber Security²

As explained earlier in this series of blogs, using APTs is increasingly popular among nation-states due to their easy scalability and low risk of attribution. What the Taiwanese, Indian and Ukrainian examples are clearly telling, is that cyberattacks are used as a method of pressure. Pressure to submit your adversaries to your will. It may also have become a tool of deterrence (arguably, see below), propaganda, and a weapon of warfare.

Cyber-attacks as means of deterrence

As briefly mentioned above, deterrence is a topic of discussion in the cyber-security community. With state-sponsored cyber-attacks daily occurring in high numbers, it is a relevant discussion, especially for those occupying themselves with critical infrastructure, such as all organization in the energy industry. The focus of the debate within the cyber(-scientific) community is on whether offensive cyber-capabilities can be and are regarded as means of deterrence. The deterrence theory became well known during the Cold War and describes how one party can convince another party to not take action by using threats or using relatively small amounts of force. A commonly known example of this is nuclear deterrence; it is highly unlikely for nation A to attack nation B if the latter has nukes that could inflict harm of an unimaginable magnitude on nation A. In other words, deterrence was mainly what kept the Cold War cold. Having the cyber-capabilities to paralyze an adversary’s energy infrastructure could deter the adversary from attacking. A successful cyber-attack on, for example, the power grid could have a massive impact. Does knowing that your target has the capabilities to launch such a devastating attack deter you from attacking? Can we state that deterrence is possible in the cyber-domain? Can nations or maybe even organizations refrain adversaries from conducting cyber-attacks directed at them?

“Thus far, the chief purpose of our military establishment has been to win wars. From now

on its chief purpose must be to avert them.”

Bernard Brodie, military strategist, illustrating the deterrence effect, 1946³.

Over the past years, many scholars from all over the world have been pondering these questions. As far as conclusions can be drawn on this subject in development, the answer for most scholars is: yes, but to a limited extent. The threat of retaliation is an important part of deterrence, but attribution of a cyber-attack is extremely hard, especially when it’s conducted by sophisticated nation-state actors. Adding to that, there is a great variety of actors in cyber-space, ranging from criminals to intelligence agencies, which means there are many motivations for cyber-attacks, making attribution even harder. Also, the red line, that is often more clear in other domains of warfare (sea, land, air, space), has not been drawn yet. Other scholars additionally argument that nation-states should regard cyber-space as one of the domains of deterrence, as in itself it’s just not enough⁴.

So, concluding on deterrence, current belief is that deterring adversaries from attacking you through cyber-space is very hard and only possible to a certain extent. Scholars are suggesting to provide another framework for cyber-space than deterrence, but on what this framework should look like there’s no consensus yet. Perhaps luring conflicts, such as Ukraine-Russia or China-Taiwan/India/US will show if cyber-deterrence is possible. As a consequence, it is most likely that the number of cyber-attacks and its use as an effective means for supply-chain disruption is likely here to stay.

Conclusion

In summary, the energy industry, as part of critical infrastructure, is extremely vulnerable to disruptive cyber-attacks. From the way the IT and OT systems are being set up to IT-networks and (indirectly) to the internet, to the major implications of disruption in this sector, the energy industry has a target painted on its back, due to its attractiveness to cause supply chain havoc. Financially motivated actors are drawn to the sector due to the frightening impact their ransomware attacks could have, while nation-states seek to find points of leverage to disable their adversary’s capabilities, or even deter them from engaging in conflict at all.

This blog on disruption concludes the Hunt & Hackett series on the cyber-threats occurring in the energy industry, globally and in the Netherlands. The current trends and challenges for the industry have been analyzed and compared to the strategic interests of the most aggressive nations in the cyber-space of the energy industry, as data by Hunt & Hackett had indicated. These adversarial nations, being China, Russia, Iran and North Korea, are driven by a variety of motives but are united in the fact that their cyber-aggression has only just begun. Organizations active in the energy industry should remain vigilant and anticipate incoming cyber-attacks.

Sources

1. https://spectrum.ieee.org/the-real-story-of-stuxnet
2. https://edition.cnn.com/2021/07/23/tech/taiwan-china-cybersecurity-intl-hnk/index.html
3. https://www.airuniversity.af.edu/Portals/10/ASPJ/journals/Volume-35_Issue-1/C-Ross.pdf
4. https://www.cfr.org/blog/cyber-deterrence-dead-long-live-cyber-deterrence