As a leading source of renewable energy across the world and a vital part of the nation’s critical infrastructure, the integrity and security of hydropower facilities are of paramount importance. Regrettably, however, the past year has seen a vast number of cyber attacks on critical national infrastructure (CNI) globally.
In February, hackers remotely accessed the Oldsmar water treatment system1 in Florida, temporarily changing the plant’s sodium hydroxide setting to a dangerous level. Meanwhile, Queensland’s largest regional water supplier, Sunwater, was targeted by criminals in a cyber security breach that went undetected for nine months. Each attack had a different motive and threat vector, which only emphasises why CNI organisations, such as water companies, need to be hypervigilant to a wide range of cyber threats.
Critical national infrastructure will always be a prime target for nation state cyber attacks: the economic importance and interconnectivity it encompasses ensures that any breach will cause maximum damage and disruption to daily life. However, preventing such crimes is almost impossible due to the arsenal of funds available to bad actors. To strengthen their cyber defences in an evolving threat landscape, the UK’s hydroelectricity installers must shift their focus from outright prevention to improving cyber posture and resilience.
Hydropower: a prime target
According to Bridewell Research 86% of CNI organisations have detected cyber attacks on their operational technology (OT) and industrial control systems (ICS) in the last 12 months, with the water and transport sectors experiencing the most successful attacks. In many cases, ageing infrastructure has magnified vulnerability to attack: over three quarters (79%) of organisations’ main OT systems are over five years old and a third over 10 years old.
At the same time, attack surfaces are increasingly vast with most organisations making OT systems accessible remotely and over the internet. Hydropower plants are particularly vulnerable to attack due to their reliance on supervisory control and data acquisition (SCADA) systems – an electromechanical system in which software can be used to control vast, physical objects. Traditionally organisations have managed SCADA systems on their own closed private networks, however, the recent move towards remote working has forced organisations to connect these systems with wider IT infrastructure and the internet. As a result, companies that fail to take proper security precautions when making such connections, or have weaker IT and OT segregation and no additional controls or visibility, unwittingly allow nefarious actors to cause large-scale outages or costly physical damage with just a few lines of code.
What are the risks?
In addition to the evolving risks posed by ageing and increasingly connected infrastructure, hydropower faces an array of complex cyber threats. Ransomware has evolved from being a malware issue to a highly sophisticated and profitable human endeavour, meaning organisations are now at risk from skilled operators with high levels of offensive security knowledge. Harnessing the power of automation and wormable ransomware, such as WannaCrypt and NotPetva, cyber criminals can gain access to an organisation, meticulously survey the environment, and then launch a large-scale attack on data and systems.
In 2019, Norsk Hydro ASA, a major aluminium and hydropower producer, was stricken by an extensive ransomware attack4 that forced its entire global network offline and inflicted tens of millions of pounds in damage. LockerGoga, the ransomware in question, had only been established two months before the attack, helping it to easily evade traditional security solutions and swiftly take hold. The increasing severity of recent intrusions – coupled with the criticality of water infrastructure – highlights the growing need for organisations to fully integrate cyber security into their risk assessment and mitigation programmes.
Beyond the threat of ransomware, companies face risks from vulnerabilities in the supply chain which could provide a foothold into hydropower infrastructure, allowing criminals to compromise large sections of an organisation. As they can only protect what is in their control, organisations are realising the need to review their own cyber posture and build cyber resilience.
Shifting from reactive to proactive
The security model in CNI usually leverages the Purdue model, which is more secure than most organisations, but is being eroded by remote working and IoT. This means that the cyber risk exposure and attack surface is particularly vulnerable to threat actors.
As cyber attacks grow in sophistication and severity, traditional preventative methods simply do not have the agility to effectively ward them off. Interconnectivity within hydropower is both an asset and a liability, making cyber attacks on organisations a case of when – not if.
The government has already taken some important steps5 to improve the cyber resilience of the UK’s critical national infrastructure. Likewise, the EU’s directive on security of network and information systems (NIS Directive) is an encouraging legislative measure, albeit with minimal enforcement at present. However, to be truly effective, a step change in cyber strategy is required. Regulations will only ever go so far in tackling the issue, so organisations must now develop a holistic view of cyber security that ensures visibility into site level OT traffic and vulnerabilities, protection and understanding of cloud and SaaS assets, and comprehensive analysis of user and identity behaviour.
The role of managed detection and response
While full prevention of cyber attacks is not possible, hydropower installations can be designed to be more cyber resilient – to withstand, adapt to and bounce back from attacks while continuing their critical operations.
Attacks will continue to plague the sector and proper detection, response and remediation will be what makes the difference between those that make the news and those that don’t. As such, managed detection and response (MDR) is playing an increasingly vital role in mitigating cyber risk.
MDR is a 24-hour cyber security service that combines modern security technology with human analysis, artificial intelligence and automation to rapidly detect, analyse, investigate and actively respond to threats, rather than simply generating alerts. Importantly, an MDR solution also allows businesses to develop a reference security architecture that facilitates the safeguarding of on-premise and legacy systems, SaaS solutions and cloud-based infrastructure applications. It also helps security teams to protect against and respond effectively to emerging security and user identity threats while reducing the dwell time of any breaches.
For hydropower operators, MDR provides correlated visibility across OT and IT networks, effectively joining the dots and enabling security teams to focus on strategic priorities rather than chasing down the latest security vulnerabilities. It can be combined with ethical hacking techniques to simulate attacks and offer deep insights into the gaps in an organisation’s cyber security strategy. The collaborative process of identifying and closing the gaps – which is then validated through retesting – not only removes the risk but also educates teams on a range of cyber security best practice.
The best forms of MDR utilise Extended Detection and Response (XDR) technologies which allow detection and response across endpoint, network, web and email, cloud and – importantly – identity, alongside a service wrap that goes above and beyond the capabilities of the technology. This means all users, assets and data remain protected, regardless of where the attack comes from.
Becoming more cyber resilient
To truly build cyber resilience, basic cyber security hygiene practices, such as regular testing and patching of any systems connected to the internet and segmentation of networks, should be supplemented by proactive measures such as threat hunting and detection and response, to reduce the time from intrusion to discovery and limit damage from attackers. Regular red team assessments should also be used to identify and plan entry vectors into a cyber system, including physical security.
Ensuring that new technologies, such as the Internet of Things (IoT) and cloud, are fully covered and understood through measurable, punitive business directives, is essential in shoring up the cyber resilience of hydropower operations. Therefore, organisations that build and leverage cyber threat intelligence to inform prevention and detection capabilities will benefit from more focused security investments and resources – rather than scattergun attempts to stop everything.
Only by implementing a strong risk management procedure, broad-level monitoring and incident response, can organisations stay one step ahead of potential cyber threats and ensure all risks are dealt with and reflected upon in an efficient way, so that compliance, posture and infrastructure are not compromised.
Working with a trusted partner
With an average growth of 4% per year, hydropower has become a key source for electricity generation – globally supplying 71% of all renewable electricity. Any interruption to this critical service could cause damaging financial loss and serious disruption to our everyday lives.
However, to successfully drive cyber security improvements, organisations face the challenge of maintaining system uptime whilst undergoing operationally and technically complex upgrades. Many of the systems currently in use by renewables operators were built prioritising efficiency over security. It is advantageous therefore to engage a security architect early in a project lifecycle to ensure better interoperability and integration with the existing estate.
With the help of the right security partner – one that truly understands the OT and IT environment – organisations can overcome operational and technical complexities to transform cyber security while keeping critical services running. It will be those organisations that adopt a proactive approach to cyber security operations, by implementing a robust cyber security transformation process, underpinned by MDR, that will reap the benefits of a stronger, structured system for managing, isolating and reducing threats.
This article first appeared in International Water Power magazine.