Energy sector’s digital shift opens door to cyber threats

The energy sector is transitioning away from its traditional “defence in depth” approach to cyber security, where operational technology (OT) systems such as substation sensors were isolated from IT networks. This shift is driven by growing digitisation and reliance on distributed renewable sources.

Speaking to Computer Weekly in an interview, Phil Tonkin, field chief technology officer at Dragos, an industrial cyber security firm, noted that organisations with a strong history of resilience are facing increasing threats from various actors – state-sponsored, criminal and hacktivist. “They’re also seeing an erosion of that defence in depth driven by a necessary change in how we consume energy, where we get our energy from, and how it’s brought to the home,” he said.

While large-scale attacks on critical infrastructure are rare, requiring both capability and motivation, Tonkin warned that those factors may be converging. “We’re seeing this in the Ukraine conflict and globally, as actors develop those capabilities,” he said.

State-sponsored actors, in particular, are being detected deeper in the networks of critical infrastructure providers.

Tonkin cited Volt Typhoon, a Chinese state-sponsored cyber actor, as an example. “We’ve found them deep inside IT networks and on the edge of OT networks belonging to mid-sized US utilities, as well as in the Asia-Pacific region, including Guam. These groups target critical infrastructure supporting military operations,” he said, adding that such activity can spill over into the civilian realm as supporting infrastructure becomes a target.

The Australian Signals Directorate (ASD), in its latest annual report, noted a rise in malicious cyber activity against OT assets, driven by the integration of legacy systems with IT networks. The ASD responded to 128 cyber security incidents in critical infrastructure last financial year, and while not all involved state actors, it suspected some incidents went unreported.

Still, Tonkin stressed the need to manage the risks associated with high-impact, low-probability events in OT security. While traditional security measures have been largely successful, the landscape is changing. The rise of smaller power generation assets, such as rooftop solar installations, is creating a new challenge. Securing these numerous, dispersed assets, often using common technologies, is more complex than protecting a few large power stations.

Moreover, homeowners cannot be expected to provide the same level of cyber security for solar panels as large power generators do, said Tonkin. This is particularly concerning as Australia’s electricity demand is set to double in the next two decades, driven by artificial intelligence (AI), electrification of transport and increased domestic consumption. This growth will be met with more distributed generation from renewable sources and gas-fired power stations, creating a larger and more vulnerable digital and physical footprint.

While acknowledging the ASD’s recommendations, Dragos advocated for the Sans Institute’s five critical controls: incident response planning, defensible network architecture, continuous network monitoring, secure remote access and risk-based vulnerability management.

Tonkin stressed the importance of a robust incident response plan, given the difficulty of preventing all intrusions. He also noted the lack of visibility into energy asset operations and connectivity. This is a concern when dealing with state actors, who take a long-term perspective so they can take action when it suits them, or have a bargaining chip when they need one.