Picture the scene. It’s the middle of winter in Ukraine with temperatures barely reaching above freezing and the power goes out. Not only does it go out but no one can tell you what is going on. That’s what happened to 230,000 people in December 2015 when a cyberattack took place on the Ukraine power grid. Hackers successfully compromised the systems of three energy distribution companies and switched off 30 substations. At the same time, they destroyed or disabled IT infrastructure components and files stored on servers. All while launching a denial-of-service attack on call centres to keep up-to-date information from consumers during the blackout.
This is not a movie plot. It was a reality. Hackers had carried out the first known successful cyberattack on a power grid. Rather than going just for the tradition information technology (IT) targets, hackers had been able to take over operational technology (OT).
“One of the most terrifying things about this hack was that it didn’t start on the day that the power went down,” says Laith Amin, Senior Vice President at Advisian Digital. “It started long before that in the form of spear-phishing emails that contained the BlackEnergy malware. You see, successful cyberattacks are the ones when you don’t know the hackers are there until it’s too late.”
Comforting stuff, especially since that it’s not simply the cost of these cyberattacks that need to be considered. The potential risk to human life with OT hacking is massive. Infrastructure, power plants, hospitals – all these rely on OT as well as IT.
Why the air gap is no longer a safe space
Traditionally, companies have focused on the ‘air gap’ when it comes to keeping their plant safe from a cyberattack. This air gap assumes that a company’s IT is in no way connected to its OT. But as technology becomes more sophisticated this is no longer the case, or even desirable. Laptops, iPads and mobile phones are now being utilized more than ever in plant environments but often with the focus still being on the fact that the air gap will protect. It won’t.
What’s more, continuing to maintain the air gap offers no value to customers. “Everything we know at Advisian Digital says that the real value comes from connecting your operating technology to your information technology,” says Amin. “Digital asset transformation itself means connecting your IT infrastructure to your plant OT. You can get a lot of value and productivity benefits by doing that, as you are able to control things like predictive maintenance, preventative maintenance, and condition monitoring remotely using your IT.”
In with the new but not out with the old
So where IT has firewalls, virus protections and regular patches made by Microsoft, Apple and other technology companies to help safeguard it, what’s in place for operational technology?
“In the US, there’s National Electrical Reliability (NERC), which has standards that guide asset owners on how they can reduce their vulnerability in terms of cybersecurity. There’s also the UL Standard for Software Cybersecurity for Network-Connectable Products (UL 2900), which was published in 2017 and created after evaluating the complexities and challenges associated with cyber risk,” explains Amin. “But that’s all very new.”