“Every breach occurs because somebody in that company did something they weren’t supposed to do or somebody in that company failed to do something they were supposed to do... Hackers do not cause breaches, people do.”
-Frank Abagnale, cybersecurity and fraud prevention expert and bestselling author of Catch Me If You Can
Australia’s utilities sector is facing cybersecurity risks that could result in widespread disruption across the nation’s energy and water market, according to experts.
Speaking at a recent roundtable discussion on cybersecurity in Australia’s utilities sector Fifth Quadrant attended in Sydney, experts warned that the increasingly complex and CX-focused utilities sector is becoming more vulnerable to potential hacks.
Smarter, more personalised and complex systems hold new vulnerabilities
Ivan Fernandez, industry director at Frost & Sullivan, said that there has been a recent surge in medium-sized projects in which commercial and industrial customers are seeing value in integrating and using renewables.
“Obviously they have been hit with more than doubling of wholesale electricity prices between 2015 and 2018, and they are now able to leverage more financing options in terms of getting renewables into their sites,” he said.
Fernandez said it is estimated that by 2027, 40% of customers will have on-site distributed energy resources, which will result in increased cybersecurity risks.
At the same time, Australia is currently mainstreaming smart meters, with around a quarter of the nation’s 13.1 million meters already smart and a recent regulation coming into effect stipulating that new or replacement meters must also be smart.
While smart meters and increased data and complexity provide a greater customer experience (CX) they also bring security dangers.
The combination of insecure Internet of Things (IoT) devices such as rooftop solar units and the growing complexity of a system of smart meters greatly increases the attack vectors available to cybercriminals.
Fernandez said the increasing complexity is also taking place in the vendor space as a growing number of startups emerge to tackle niche issues and specific pain points in the sector.
Meanwhile, customer expectations for personalised services has grown, leading to utilities providers seeking more data from their customers which in turn provides a more alluring target for hackers.
Urgent top down changes required
Phil Kernick, co-founder and CTO of CQR Consulting, said the matter is an extremely urgent one that will require a ‘top down’ approach in which regulators and company leaders address the growing problem.
A key issue is that traditionally the electricity sector is used to a much slower pace of technological advance than we are now accustomed to in the digital age. While you might have a new patch for your iPhone every three months or so, grid infrastructure is typically “set and forgotten” for a decade or more.
Kernick said the sector runs on 80s and 90s software and is being designed, operated and run by electrical engineers who have little or no understanding of IT or cybersecurity. And since utility companies – like any other – are profit driven, getting them to spend more on cybersecurity is challenging.
Potential dangers lurk
Kernick sees the major threat to Australia arising due to human error rather than a state-sponsored attack as was seen in the Ukraine in 2015, when Russian hackers shut down power to more than 200,000 customers.
Last year, Russian hackers repeated a similar feat, but this time focused their efforts on the US. During a briefing in July, Head of Homeland Security Jonathan Homer said Russian (hackers) targeted mostly the energy sector but also nuclear, aviation and critical manufacturing.
The Russians didn’t use some sophisticated or advanced method to get inside US utilities, instead relying on basic phishing attacks in which employees are tricked into entering passwords. Homer said the victims ranged from smaller companies with no major cybersecurity budget up to large corporations with more sophisticated protection. While the hackers chose not to shut down US power, there is evidence that they could have, but instead opted to perform reconnaissance.
Security company Zscaler’s Vice President Asia Pacific and Japan Scott Robertson said that utility companies do not have to triple their spending to improve their security.
“Tools already exist that allow preventative measures to be put in place quickly and effectively. It’s a matter of establishing where the threats exist and selecting the best tools for the job,” he said.
Fernandez said that Frost & Sullivan’s 2017 survey of the energy and utilities sector identified cybersecurity as the top challenge facing the sector and emphasised that failing to address the issue could have serious consequences for the nation.
Associate Professor at Monash University and Director Oceania Cyber Security Centre Carsten Rudolph said that identifying and establishing protective mechanisms to counter threats is where the focus should be, rather than only looking at high-profile cyberattacks.
As reported by ComputerWeekly, Monash and Indra are working on distributed security systems that use encryption as well as exploring how micro-grids can be developed and deployed.
Although Australia is presumably of much less interest to the Russians, all the round-table participants agreed that Australia’s utility sector must take action to mitigate against threats and ensure that vital infrastructure services are not disrupted.