The economic value represented by the energy industry makes utilities an attractive target for cybercriminals. An expansive attack surface coupled with strong interdependencies between physical and digital infrastructure makes utilities an interesting case study for cybersecurity implementation.
Jerry Onesti and Jochen Toesmann from EON highlights the impact of cyberthreats across the value chain of utilities and shares his insights on how to protect assets associated with cyber-sophisticated industries such as energy.
Yeah. Hi, I'm Johan. I'm also working at Eon. I'm at Eon Cyber Resilience and Cyber Range E. So I've been working with Eon for about four years now. And yeah, previously I worked at TUR as a security auditor and security consultant. Today we will talk about securing the energy sector.
So, So what's our agenda? Yeah, we will talk about the challenges in the, for the energy sector. Basically we will tell you what's the dso. For those who don't know yet, we will talk about a generic scar architecture. So basically it's the system that we use to control our grid and we will take a closer look at OT attack vectors and how to mitigate those attack vectors. So just to give you a brief overview, who are, who is eon? Well, we have 51 million customers all over Europe. We have 72,000 colleagues when we are spreaded all over Europe. So you can see that the map on the right hand side and yeah, our internet of energy transition has about half a million assets. So quite a lot of stuff to take care of. And yeah, the, the energy network has almost 1.6 million kilometers of length. So it's just to give you an impression, it's twice the distance to the moon and back. So some, some grid to take care of. Yeah, and our business basically it's fast growing as energy solutions and e mobility is yeah, data changing business and very important currently.
So what are the cybersecurity challenges? Previously we wanted to produce energy as cheap as possible and now we want to do the same thing but it should be with renewable and sustainable energy. We had a production place in central places like nuclear and coal plants. Now it's very distributed with both wind and solar power plants. The SCADA systems, they used to be offline and completely isolated but now it is interconnected with the renewable energy sources and they are controlled remotely as renewable energy production is quite unpredictable. We need reliable and precise weather data and the smart meters are installed so we can have the possibility to have several readings per day or even live readings and focus used to be on operational security and many assets and protocols used don't have any cybersecurity by design.
So now we will take a closer look. What is the dso? Well basically DSO stands for distribution system operator and those are the guys who basically run our energy grid, our network and the task and duties are to run reliable, so it means safe and secure way our distribution grid, so to deliver energy to our households basically therefore we have to monitor the grid status. So if, if the voltage is going down or the frequency. So if something has to be changed, we have to do maintenance and repair of equipment in our systems and we have to activate and control grid reserves basically. So in on regards on renewable energy, this has to be done more often than it used to be back 10 years back for example. We have to be compliant to the requirements of our TSOs. TSOs are the guys who are running the very high voltage network and yeah, if you're located in Germany for example, you are obligated by the law to run and to to implement and to run a certified ISMS based on ISO 27,001. So how does a SCADA architecture look like and what components do you usually see in a SCADA architecture for those who don't see OT components every day? We have just a generic SCADA architecture overview for you.
Yes. So as Johan mentioned is a very generic skate architecture. In the very bottom is the production and control processes and there is where the PLCs aren't and rts are located and those are like the connection to the physical world. And above that is the supervision and monitoring and this is where the operators work and we have the operational management and we have some supporting systems such as power outage notifications that can be published on the web on the website. So PLC here on the left, it's an interface to the fiscal world and it gets inputs from sensors and et cetera. And based on the programming it will do defined task. A great example where we can see PT is the dishwasher we have at home that it makes sure the door is closed, the water fills to the right level, et cetera. And they're also safety features built in such as if you open the door it turns off and on the right we are an R here, it monitors as well digital and analog parameters and it's an extension to the SCADA server and the SCADA server can send control commands back to it, for example, to change this date of protection relay
And the SCADA server, it is the brain and it's where all the inputs from the various PLCs in order to use or collected. And it can be located in a substation or a central in a centralized control center. And hmi, it's the graphical interface and it's where the operator works and oversees the process and can see the data in a visualized form. Alarms are also presented on in there and they can also issue control commands from there to change the state in a relay. And even in the bottom right is example on how it can look.
Yeah, so back to the generic architecture, there are different other components like you see supporting applications right over here like a ticketing system, a billing system or it's already mentioned information system about power outages for example. We also have the engineering station, which is the workplace where the PLCs and the RS are usually program from. And we have some sort of archive which is called Historian, which locks all values from the scaler server, well in a time series database. So what else do we see? Yeah, we have the enterprise line and the internet dmz. So in the enterprise line you find everything you know from your usual IT infrastructure. So it's just the office IT basically. And you have of course an internet DMZ which contains web server and a MA server. So you have yeah, systems that are facing face to the internet. And yeah, the other thing is we have remote access.
So usually you have remote access, like you're working from home and you have access to your enterprise line. But in this case it's also possible that for example, external suppliers or internal suppliers might have access to assets that are located in your substation like an RTU has already mentioned before. So in this case, he has to travel through the enterprise line and he goes through the operational DMZ and usually there's some sort of jump server for example, so you can connect to the rtu. So, and this is located in a substation and we have thousands of substations in Germany.
Consequences of malware design for SCADA systems, loss of control, wait, sorry, not as common as other malware is. The ones that are designed for a SCADA system. And your average attacker cannot do this with ease as you need a lot of resources and access to equipment that you, you can't buy off the shelf to when you develop the malware. And so these attacks are often associated with a national state and they have a budget and resources, others don't and sometimes the protectors work closely with them. So a lot of control is a denial of service where packets are flooded and you cannot control or monitor your processes or the loss of data integrity where you can manipulate the devices by proofing data. You can send fake data that everything is normal to the scale server. At the same time you send data to the PLC who might stop working and loss of data availability, for example, ransomware is deployed and everything goes down or faulty configurations are sent to the PLCs or to use.
Yeah, so now we'll take a closer look at possible OT tech vectors. Well there are five different kind. So maybe you'd like
To start. So the IT connection in the case of the colonial pipeline incident in May of last year, their IT network was a victim of ransomware and as a precaution they turn off the whole pipeline, their O network and disconnected it. And during their recovery, which lasted for about six days, the availability of gas was limited with about 12,000 gas station affected and a lot of public panic.
Yeah, so regarding a supply chain, there was for example an attack on the KA set network. So in February, 2022 an attacker activated a fault update and yeah, resulting in a loss of a network connectivity. So all systems were disconnected and this also affected roughly 5,000 wind turbines and he made it by exploiting a misconfiguration in a VPN device. So basically yeah, that's just a supply chain attack which affected a lot of wind turbines in Germany and all over Europe.
And there is one case in Florida where a water treatment plant, they had installed team viewer on one of their operators computers and someone got access to those credentials and changed the value of, cannot really see my notes but used to be a hundred parts per million and they changed it to like 11,000 parts per million of this chemical. And but luckily the operator saw it, it's changed and reverted and otherwise it's about 15,000 households would have lose the source of clean water.
Yeah, our service card or service technician, well they do usually have access to our substations and so they connect their devices and you're already saw it in the slide a few slides before. So they can do it by remote access or they can do it directly and to to get the access to the systems. They can use centralized management systems for example. So for remote access and yeah, it would be an also possible that you don't only affect one system or one substation because cause of lacking network segmentation for example, you might be able to attack more than one substation. So basically sometimes even all,
And then there are the legacy systems when installing equipment, they're often used for a much longer time than the operating system used maybe up to 20 years. And after those years it's might not be possible to change it because availability is the most important thing.
So now how do you mitigate those attack vector? What might be the mitigation measures? Well we centralized on, on three different topics basically. One would be the communication risks, so the usage of encrypted communication. So you could use certificates for example to verify the integrity of the data as already mentioned, very crucial information. So which is transferred from machine to machine. And you should also protect your connections between substation and your centralized systems via VPNs. For example, secure data exchange platform should be implemented. So you can transfer whether data as already mentioned or updates between the IT and the OT network and vice versa. You should review your existing relationships as business partners might change on a regular basis. So account ig, basically you should verify your contact. So who's in charge at your suppliers in case of an incident and you should regular audit your supplier. So you should check if they're compliant to your contractual agreements. In regards to cybersecurity, for example,
Mitigating access risks, Yeah, you should use jump servers. So you don't have to expose your systems directly to the internet. You should, you could use geofencing. Well there are a lot of different things on, on the slide we have seen today and the day before, like zero trust. So basically it's, yeah, very common. And this also has impact on the ot. So like multifactor authentication for example, that should be in place least privileged principle of course and time-based lock in. So you should know when your supplier for example, locks in and you should be the one who's in charge to activate connections. For example, you could use session recording for for instance. So if something happens and you want to investigate on an incident, it will way easier to do so. And networks of course should be segregated. So you don't have the access to all systems, only to the systems you are allowed to. Yeah. And another thing, the usage of authorized hardware is also an option. So it's company provided, so you're in charge of hardening measures and basically the security measures that apply to the systems connected to your network.
Thank you. So we have all the legacy systems and when possible we should try to find the replacement. But sometimes systems in order roll are very long lived and as mentioned before, a lifetime of 20 years is not uncommon. So then other measures needs to be made such as segregation, strict firewall rules and monitoring it with ideas. And we should not only do penetration tests on our own equipment and software, we should also do it to our supplier suppliers that we are dependent on and we should cate
Verify, thank you. Firmware integrity before installing as it can be quite challenging to to revert or discover any,
Some devices don't even have the option to go back to the old firmware for example. So it's just broken if you don't use the correct firmware.
Thank you. And redundancy. So if the, if there is a connection problem, we don't lose access to, to our supporting systems and awareness training and fishing simulation is, is not too uncommon that a user might get their credentials stolen or they accidentally open that malicious document or or such and that will give the attacker a foothold and to recon and plan their next step in their attack. And we should monitor all the logs for a suspicious activity, which is sounds very easy to do, which is not so, but luckily in the OT environment things are quite static so it's a lot easier than in an IT environment to discover when something is not as it should be.
So we have talked about many different mitigations and to get a broader view of what is happening in the network, the use of an IDs that is capable of understanding the OT specific protocols and can build a baseline on each what the expected values are. And if those values suddenly change to extremely high or low and something never seen before, it can generate an alert. And with the ion of, we have the ability to collect logs from all the devices. As I mentioned, auto environments are very static and it's quite a little bit easier to build a baseline of what the normal is and the configuration to maintain your cmdv. So you know what firmware software and dependencies you have installed on what systems. So when there is a patch, for example the critical vulnerability in log four J last year, it'll make it a lot easier to find all the affected assets instead of maybe we still did chase after the unknown systems, but quite that's quite good. And vulnerability in inventory scanner. So we can keep track of what's in the network. Is there something forgotten or someone added something, the shadow it or such such. And thank you. That's it.
Okay. So thank you very much and I, I have to, to praise you for giving me the best structured OT presentation I've ever seen. Oh. So it's really, it made it understandable for the non OT person or not, not so much OT person. That was super helpful, I believe. I have a couple of questions. I just wanna pick one of these in the interest of time, which is you talk about auditing suppliers, so, so how do you audit your suppliers? Do you do that on, on paper or why trusting in external audits or do you do your own audits going to the suppliers or do, is this a mix of that?
Well it's, it's kind of a mix of that. We do this our own, it's even on in our department. So we conducted audits at different OT suppliers, like PSI and all those Yeah. Manufacturers for example. And they get a questionnaire first and they have to, to yeah, give us an information about their security status and yeah, we will check it and basically we go there onsite. Okay. We do a, an audit onsite for, yeah, usually two days for example. Okay. Yeah. Thank you.
Okay. No, super. That, that's a good answer and I like that. Thank you very much again, as I've said, very insightful, very helpful. With that, I think we are directly shifting to the next Yeah. Presentation.
Thank you. Thank you.
How can we help you