Cyber Security and Critical Energy Infrastructure

https://doi.org/10.1016/j.tej.2014.01.011Get rights and content

Both the number and security implications of sophisticated cyber attacks on companies providing critical energy infrastructures are increasing. As power networks and, to a certain extent, oil and gas infrastructure both upstream and downstream, are becoming increasingly integrated with information communication technology systems, they are growing more susceptible to cyber attacks.

Introduction

Critical energy infrastructure (CEI) is a prime target for attacks of all sorts. In January 2013, a terrorist group attacked a gas plant in Amenas, Algeria, which led to a subsequent hostage crisis and became one of the worst terrorist attacks on oil and gas installations (Reuters, 2013). But CEI is not only vulnerable to terrorist attacks, as state attacks such as extensive energy “denial” operations during the Iran-Iraq war (Hiro, 1991) as well as the 1999 Kosovo campaign (Walker, 1999) demonstrate. While the energy industry is experienced in dealing with physical attacks such as armed assaults, explosives, and biochemical agents (MacKinnon et al., 2013), cyber attacks on CEI present a new security threat for which the industry has little expertise or experience. Nevertheless, recent reports show that attacks are increasingly focused on companies providing CEI, including electric power grids, gas lines, and water systems (Umbach, 2013).

Society's growing dependence on ICT infrastructure and systems has given birth to a new class of cyber-physical threats that may facilitate physical attacks with a cyber-attack, so-called “cyber-enabled physical attacks” on critical infrastructure. While the means/actions of such attacks are virtual, the impact can be physical. Previously, this threat profile would have been physical-physical, with a physical intrusion (action) resulting in a physical impact. It is this shift in the threat profile that is troubling to the industry, particularly because physical threats can often be observed and mitigated more easily than cyber threats. Attacks may consist of disabling monitoring and security equipment or causing physical damage directly (MacKinnon et al., 2013). Prominent recent attacks include the Shamoon cyber-attack in 2012 on Aramco, the Saudi Arabian Oil Company, which, even though it did not cause operational disruptions, does represent a qualitative change in the nature of attacks with the potential for causing great physical disruptions to vital energy supply chains (Clayton and Segal, 2013, Bronk and Tikk-Ringas, 2013).

As a result, a number of initiatives have been launched and policies put in place to strengthen resilience to cyber attacks, whether terrorist or state-sponsored. Examples include the European Union's Policy on Critical Information Infrastructure Protection (CIIP), adopted in 2009, which focuses on the protection of Europe from cyber disruptions by enhancing security and resilience. Among its achievements is the establishment of the European Public-Private Partnership for Resilience (EC, 2013). Another example is the United States’ Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) in 2012 (U.S. DOE, 2013a). Much of the existing literature and news reports have focused on the following aspects of cyber security: privacy (Kritzinger and von Solms, 2010, Shakarian et al., 2013), state-affiliated cyber-espionage (Power and Dario, 2007, Barnes, 2013), or private sector competitiveness (Choo, 2011, Everett, 2009, The Economist, 2013, Jones, 2008). Still, much has equally been written about cyber attacks on cyber-physical infrastructures, e.g. Clayton and Segal (2013), Umbach (2013), or Khurana et al. (2010). This essay presents a brief overview of the threat cyber attacks pose to critical energy infrastructure in both the power sector and the oil and gas sectors.

While the means/actions of cyber attacks are virtual, the impact can be physical.

Section snippets

A New Cyber Threat

“Cyber attacks and other IT security issues have become a top industry concern for the first time in the history of Ernst & Young's recurring survey of energy executives, ranking No. 9 on the list of most important industry concerns of 2013.” These threats, as well as their perpetrators, are growing more sophisticated, and will likely continue to do so in the future, which will make them only more difficult to detect and defend against (Clayton and Segal, 2013). Much of the literature and

Recent History

Cyber-enabled physical attacks can take many forms; attack methods include “vandalism, spreading propaganda, gathering classified data, using distributed denial-of-service attacks to shut down systems, destroying equipment, attacking critical infrastructure, and planting malicious software” (MacKinnon et al., 2013). The method of attacking critical infrastructure by planting malicious software, known as malware, has repeatedly demonstrated the vulnerabilities of energy systems. The earliest

The Nature of the Threat

Power networks are arguably among the most critical of all critical infrastructure (van der Vleuten and Lagendijk, 2010). Whenever physical critical infrastructure of the electric power grid is compromised, grid reliability is as well. Grid disruption could lead to widespread system failures and sweeping blackouts, which carry social and economic consequences. In the United States, hurricanes Sandy in 2012 and Katrina in 2005 are examples of the overwhelming chaos and confusion, as well as the

Making It ‘Smarter’ Makes It More Vulnerable

As energy services are critical to the daily functioning of industrialized economies, the cyber threat posed to critical energy infrastructure is increasingly considered as a central concern. This is especially the case as ICT has become an integral part of the modern power system, enabling the assemblage of network information and the automated issuing of control actions in (near) real-time to maintain grid stability by balancing demand and generation (Pearson, 2011, Wang and Lu, 2013). The

A Diverse Landscape

How cyber threats are handled across the energy sector is very much dependent upon the business activity of the energy company. Cyber security efforts at a sector-wide level vary widely between electricity and oil and gas, with electricity ostensibly favoring a regulatory approach not dissimilar from other efforts to mitigate reliability issues under the NERC umbrella. An oil and gas exploration and production firm may have operations around the globe, including in dangerous environments. They

The U.S. Experience

Cataloging and then adopting best practices (recognizing that we are in the early stages of this field) in policy, controls, and process could help critical infrastructure industries strengthen resilience.1 In the United States, Congress has undertaken discussion regarding cyber security legislation for several years, but has not passed significant legislation in this area. In early 2013 President

Conclusion

The threat on critical energy infrastructures from cyber attacks is significant and growing as energy system operations become more electronically interconnected. Despite the threat, it appears that the cyber-security risk is still more commonly associated with issues such as theft of confidential personal, commercial, or national intelligence, than with cyber-enabled physical attacks on critical infrastructure. Nevertheless, the threat to economies is real, and system failures could lead to

Ijeoma Onyeji is a research analyst at New Energy Insights (NEI). She has previously worked in various fields of sustainable energy, including smart electricity systems, renewable energy, and energy poverty and access. Ms. Onyeji has consulted for a number of organizations, including the International Atomic Energy Agency (IAEA), the United Nations Industrial Development Organisation (UNIDO), and the European Commission's Institute for Energy and Transport (IET). She holds a Master's in

References (44)

  • I.L.G. Pearson

    Smart Grid cyber security for Europe

    Energy Policy

    (2011)
  • W. Wang et al.

    Cyber security in the Smart Grid: survey and challenges

    Computer Networks

    (2013)
  • J.E. Barnes

    U.S. Says China's Government, Military Used Cyberespionage

    Wall Street Journal

    (2013)
  • J.W. Bialek

    Recent Blackouts in US and Continental Europe: Is Liberalisation to Blame?

    (2004)
  • C. Bronk et al.

    Cybersecurity Issues and Policy Options for the U.S. Energy Industry

    (2012)
  • C. Bronk et al.

    The Cyber Attack on Saudi Aramco

    Survival: Global Politics and Strategy

    (2013)
  • K.-K.R. Choo

    The cyber threat landscape: challenges and future research directions

    Computers & Security

    (2011)
  • B. Clayton et al.

    Addressing cyber threats to oil and gas suppliers

    Energy Brief

    (June 2013)
  • DHS

    Critical Infrastructure

    (2013)
  • DHS, n.d. US Department of Homeland Security. Safeguarding and Security Cyberspace....
  • EC

    Digital Agenda for Europe

    (2013)
  • EIA

    Annual Energy Outlook 2012

    (2012)
  • EU

    Critical infrastructure protection

    (2010)
  • C. Everett

    The lucrative world of cyber-espionage

    Computer Fraud & Security

    (2009)
  • Farivar, C.

    Stuxnet admission likely to have foreign policy consequences

    Arstechnica

    (2012, June)
  • FIRST

    First – Improving Security Together

    (2013)
  • K. Geers

    The challenge of cyber attack deterrence

    Computer Law & Security Review

    (2010)
  • D. Hiro

    The Longest War: The Iran-Iraq Conflict

    (1991)
  • IBM

    Best practices for cyber security in the electric power sector

    (2012)
  • A. Jones

    Industrial espionage in a hi-tech world

    Computer Fraud & Security

    (2008)
  • H. Khurana et al.

    Smart-Grid Security Issues

    IEEE Computer and Reliability Societies

    (2010)
  • R. King

    Virus Aimed at Iran Infected Chevron Network

    Wall Street Journal

    (2012)
  • Cited by (62)

    • Cybersecurity and resilience in the swiss electricity sector: Status and policy options

      2022, Utilities Policy
      Citation Excerpt :

      For example, past attacks have been directed at utilities, electricity network associations, and even national network infrastructures (IEA, 2021a). The increasingly interconnected nature of electricity infrastructures, through increased adoption of distributed energy resources (DER) (Heymann et al., 2020), is likely to increase the risk surface potential penetrators can attack (Onyeji et al., 2014). This risk surface expands even more with sector coupling, which is on top of the European political agenda (European Commission, 2020a).

    • A socio-technical lens on security in sustainability transitions: Future expectations for positive and negative security

      2022, Futures
      Citation Excerpt :

      “[C]onflict will increasingly be organised around networks and nodes of information transfer”, including attacks on both civilian and military networked computer systems such as smart grids (Peoples & Vaughan-Williams, 2014, p. 187). As the energy transition is associated with growing reliance on ICT and digital devices as part of smart grids, the threat of cyber-attacks on critical energy infrastructures is growing; electricity distribution is particularly vulnerable to such attacks (Onyeji et al., 2014). More distributed and decentralised technologies increase the “surface area” exposed to attacks (Cornell, 2019).

    View all citing articles on Scopus

    Ijeoma Onyeji is a research analyst at New Energy Insights (NEI). She has previously worked in various fields of sustainable energy, including smart electricity systems, renewable energy, and energy poverty and access. Ms. Onyeji has consulted for a number of organizations, including the International Atomic Energy Agency (IAEA), the United Nations Industrial Development Organisation (UNIDO), and the European Commission's Institute for Energy and Transport (IET). She holds a Master's in Economics and Econometrics.

    Morgan Bazilian is currently the Deputy Director of the Joint Institute for Strategic Energy Analysis (JISEA). He is also a member of the World Economic Forum's Global Advisory Council on Energy, and is Adjunct Professor at Columbia University. Dr. Bazilian has over two decades of experience in the energy sector and is regarded as a leading expert in international policy. Previously, Dr. Bazilian worked in the United Nations on energy access issues, prior to which he was the European Union's lead negotiator on low-carbon technology at the international UNFCCC climate negotiations.

    Chris Bronk, Ph.D., is a fellow at the Baker Institute for Public Policy at Rice University. He also holds appointments at Rice's School of Engineering and the University of Toronto. Previously, he was a Foreign Service Officer.

    The authors offer thanks to Austin Montgomery (Software Engineering Institute at Carnegie Mellon University) for his valuable input on earlier versions of this article.

    View full text