Not worried about hackers despite daily attacks

Consider the following:

Someone hacks into a network compan that provide electric power, shutting down their systems. This will knock out the electricity in the entire region supplied by the company, such as Lyse Elnett in Rogaland, Agder Energi Nett in the Agder counties, or Hafslund Nett, which supplies electricity to 1.5 million people in the Oslo area.

A simultaneous attack on several network companies could affect large parts of the country. Trains would stop, planes would not be able to land, there would be no electricity, the water supply would stop and the sewerage system would break down. Hospitals have emergency generators and would manage for a while, but after a while, this would be critical for life and health.

Add a cold winter, and it would not take much imagination to visualise the effects of such an attack.

A disaster movie

"This is the worst that could happen—a worst case scenario. The consequences for society would be huge", says Ruth Østgaard Skotnes.

She is a researcher at the International Research Institute of Stavanger (IRIS) and Centre for Risk Management and Societal Safety (SEROS) at the University of Stavanger. She has recently completed a PhD in safety and security management of electric power supply networks.

You may think that this sounds like a scene from an unrealistic disaster movie. “That's not the case", says Skotnes.

"We must prepare ourselves for the improbable, and the threat to Norwegian energy providers is very much a reality."

The risk is reported by the Norwegian National Security Authority (NSM), the Norwegian Police Security Service (PST), and the Norwegian Government's Cyber Security Strategy for Norway.

"There are strong indications that we now must expect sophisticated attacks, aimed at information and communication technology systems that operate industrial processes and critical infrastructure”, says Skotnes.

Vulnerable to attack

Over the past decades, modern ICT has been introduced in the operation of the various parts of the electric power supply.

Electric power plants now control and monitor production and distribution systems from a few control centers.

Process control systems have traditionally been closed systems, however increased connectivity via standard ICT technologies has made these formerly isolated ICT systems vulnerable to a set of threats and risks they have not been exposed to before.

Skotnes was surprised to discover that the network companies themselves perceived this risk as relatively low, despite the fact that many of the companies had experienced attempts to hack into their process control systems. Some even reported daily attacks from the outside.

"Many network companies put too much trust in their own systems, and take it for granted that attacks will not be successful. This is in strong contrast to what research and reports from the authorities tell us", says Skotnes.

Computer worm against a nuclear programme

Another reason may be that the network companies find it difficult to prepare for something that might happen, but hasn’t yet happened. Up until now, Norway has not experienced harmful cyber attacks on critical infrastructures. However, worldwide there have been several incidents of cyber attacks during the last few years.

The best known of these, Stuxnet, was discovered in 2010. This was the first known computer worm that could spy on and reprogramme industrial control systems. Among other things, Stuxnet was supposed to have been used against and damaged the Iranian nuclear programme.

The attacks on the twin towers in New York, the bombing of the Government Quarter in Oslo and the subsequent attack in Utøya on 22 July 2011 have taught us that the unthinkable can happen.

"We need to be better prepared for attacks against critical infrastructure", says Skotnes.

Management commitment

So, how can the network companies protect themselves against cyber attacks? System updates and antivirus software are important measures, but vigilant employees and management commitment are just as important, according to Skotnes. 

Last year, around 50 companies in the oil and energy sector were exposed to the biggest cyber attack in Norway’s history. In Statnett, the transmission system operator in Norway, the attempt was discovered by a vigilant employee, which meant that the company was able to prevent malicious software from being installed or run on computers within the company.

"My study showed a strong relationship between management commitment to ICT safety and security, and the implementation of awareness creation and training measures for ICT safety and security in the network companies. I was told that it was difficult to implement measures if the management was not committed to the issue", says Skotnes.

Involving the employees in the development of ICT safety and security measures can be a useful way to raise awareness in the network companies. This can make it easier for the employees to realize the benefits of these safety and security measures, and not consider practicality and efficiency as far more important for their work. 

Subculture

Her thesis shows that there exists at least two different subcultures in today's network companies, depending on whether the people operating the process control systems have an education in ICT or a background from the electricity industry. The latter group generally focus on keeping the systems running without interruption. Downtime is not acceptable, and the most important thing for this group is constant supply of electricity.

"Supply reliability is important, but this way of thinking has to change so that everyone understands how crucial ICT safety and security is", says Skotnes.

A critical point

Power production in Norway is more difficult to affect. Ruth Østgaard Skotnes chose to concentrate on power distribution because this is considered to be most critical for societal safety.

She collected data for her thesis through a survey questionnaire that she sent to all the 137 network companies operating in Norway in 2012. Skotnes also interviewed representatives from the contingency planning department in the Norwegian Water Resources and Energy Directorate (NVE) who are responsible for safety, security, contingency planning and supervision in the Norwegian electric power supply sector.

By 2019, smart meters (Advanced Metering Infrastructure) will be installed in all Norwegian households. Smart meters will provide increased capacity, reliability and efficiency of electric power supply, but will also increase the vulnerability to cyber attacks.

“Society’s vulnerability will increase because the number of possible entry points and paths for attacks are continually increasing. This is why we as a society need to take such threats seriously", says Skotnes.

-------------------------------------
Read the Norwegian version of this article at forskning.no

Scientific links

• Ruth Østgaard Skotnes: Challenges for safety and security management of network companies due to increased use of ICT in the electric power supply sector. Doctoral thesis, the Faculty of Social Science at the University of Stavanger, 2015.

External links

• Ruth Østgaard Skotnes's profile

Related content

Power companies unprepared for hacking attacks

Norwegian power distribution companies should carry out more regular contingency exercises to prepare themselves for hacking attacks. If they don't, they won't be equipped to identify and deal with crisis situations.

Swedish engineers launch hackable mini-drone

A trio of friends in Sweden has created a miniature helicopter kit with open source code. Users can hack into the drone's software and adapt it to their own needs.

Your household appliances can be hacked

The neighbour’s kid hacks your washing machine and terrorists switch off the power in your city. These are likely future scenarios with modern technology. But now a researcher has set out to combat this.