Building resilience to cyber attacks on energy supplies

Energy security expert at The NATO Energy Security Centre of Excellence, Tadas Jakštas, discusses the threat posed by cyber terrorists to the functioning of Europe’s electricity network.

Tadas Jakštas is an energy security expert and serves as an adviser on all aspects of regional energy resilience. His main expertise is on kinetic and non-kinetic threats to energy supplies, the protection of critical energy infrastructure, and resilience.

According to Jakštas, cyber threats and attacks to the world’s energy supply network are becoming more common, sophisticated and damaging. As a result, NATO needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats and attacks it faces.

He adds that the disruption of energy supply could affect the security of societies and, while these issues are primarily the responsibility of national governments, NATO continues to consult on energy security and further develop the organisation’s capacity to contribute to energy security, concentrating on areas where it can add value.

Referencing the successful attack on parts of Ukraine’s national electricity grid back in 2015, Jakštas highlights that cyber terrorists are developing their skills at a rate comparable to, or even superior to, the speed at which national governments are implementing their energy digitalisation policies.

The NATO representative confirms that, despite the efforts of the world’s best IT brains, it is only a matter of time before the cyber terrorists strike again. He says: “There is no such thing as 100 per cent prevention, where these matters are concerned. The best hope for society as a whole is that the likes of the European Union can mitigate risks in the most effective way possible.

“Achieving this will require a greater understanding of the cyber ecosystem: how it works and being able to measure the level of threat posed by the people, processes and products involved in data security.”

Jakštas describes the need for greater civil and military co-operation when it comes to keeping the cyber terrorists at bay, describing the shift from physical combat to a small group of highly trained IT experts hacking in to an enemy state’s energy networks.

Cyber terrorists, he says, come in different forms. They can be government sponsored or they can be freelance operators with monetary gain their only objective. Jakštas adds: “They can also be activists and extremists. Specific national states represent an advanced and persistent threat. Cyber activity represents a relative cheap and effective way of disrupting critical infrastructure in another country. It also provides the cover of easy deniability.”

The NATO official confirms that the cyber disruption created in Ukraine during 2015 and 2016 were ‘Sandworm’ attacks. This is a Russian-based threat thought to have been operating since 2009.

He adds: “We have also seen extensive ransomware attacks against Ukraine since 2017. Again, the groups responsible were, in all likelihood, linked to Sandworm.”

Jakštas notes that the Dragonfly 2.0 cyber campaign has targeted the power sector in a number of European countries and the United States of America. The beginnings of this threat can be traced back to 2017.

“Sandworm and Dragonfly are both likely to be controlled by state-sponsored actors,” he says. “The cyber threat against critical infrastructure not only affects the power sector but also other industries such as gas and oil providers, or water treatment. It is highly likely that cyber attacks of this nature will continue, especially ones that help advance the goal of undermining or probing Euro-Atlantic cohesion.”

According to Jakštas, cyber attacks against critical energy infrastructures can have cascading effects. This is because other critical infrastructures are heavily dependent on stable energy supplies.

“Resilient energy supplies are critical for the enablement of military reinforcements. Any disruption of communications impacts on the ability of any country to deploy or sustain its forces,” he adds.

Resilience

The NATO official discusses the principle of cyber resilience. This requires the identification of those assets which must be protected.

“There is also a requirement to understand the operational landscape and understand the cyber ecosystem,” he says. “But underpinning all of this is the necessity of having a grid network that is fully functional on a 24/7 basis. It is against this continuing backdrop that the growing threat of cyber-crime must be assessed. “

The cyber threat against critical infrastructure not only affects the power sector but also other sectors such as oil and gas providers or water treatment. It is highly likely that cyberattacks of this nature will continue – especially ones that help advance the goal of undermining or probing Euro-Atlantic cohesion.

Jakštas profiles the significance of NATO’s Energy Security Centre of Excellence (ENSEC COE). The organisation provides technical, scientific and academic subject matter expertise in the field of energy security that contributes to risk assessment analysis.

It also acts to identify future needs in NATO transformation activities while seeking to prevent or mitigate emerging military threats and challenges, which result from the global scarcity of energy resources.

“The energy security centre of excellence is helping to raise awareness of energy developments with security implications. It is also improving the energy efficiency of military forces.”

He confirms the new and emerging threat of cyber-attacks on the operational technology (OT) within industrial controls systems, specifically pointing out that the threat to the OT protection of key national resources, such as nuclear power plants, is significant.

Fundamental problems can arise in this context as an IT-based system is directly interfacing with physical processes. If these systems are in any way altered, the end result could be physical damage to the infrastructure targeted.

He says: “A nuclear power plant was recently forced into an emergency shutdown situation for 48 hours after a software update was installed on a single computer. This is an example of OT patching, which NATO now believes to be an unacceptable industrial risk.

“Proper international standards should be adopted for OT cyber security or critical infrastructure. Cyber security awareness must also be heightened through a combination of training education and exercise.

“Complete cyber defence will be an impossible goal to achieve. This is because cyber threats are constantly changing. Cyber resilience should rather focus on an ability to prepare for and adapt to ever changing conditions, while withstanding and recovering rapidly from disruptions.

“We must also develop the ability to restore regular delivery mechanisms after a cyber attack,” he concludes.