Can cyber attacks affect electric systems?

Recent news has released information that could be considered as science fiction if only it was not published by very reliable sources. As examples, hacking actions have taken place during the last American election campaign and Wikileaks revealed the CIA’s technologies to spy the world environment and bypass encryption devices. Those examples underline, if need be, the the necessity to protect as much as possible what is essential to us, and in particular to ensure the proper functioning of the electric system…

As underlined by Guillaume Poupart, Director General of ANSSI (The National Cybersecurity Agency of France), “if propaganda must be distinguished from cyberattacks … one cannot rule out the hypothesis of people testing cyberattacks to prepare the conflicts of the future”. In this context, IFRI (French Institute for International Relations) conducted an enlightening study on Cyber Attacks Against Energy Systems.

An increasing number of attacks

Since 1982[[The first major cyberattack occurred in 1982 in Siberia and led to the explosion of a gas pipeline]], 19 major cyberattacks affected parts of the world energy system, with the most advanced striking specifically electricity systems, such as Stuxnet[[A variant of Stuxnet appeared in 2014 under the name of Energetic Bear and destabilized 250 energy companies from America and Europe by spreading from the infestation of 3 industrial monitoring sites.]] in 2010, which damaged an uranium enrichment plant and Black Ridge in 2015, which disconnected part of the Ukrainian grid and disrupted the functioning of the grid for several weeks thereafter.
In its study, IFRI interestingly points out that the last attack due to inner malware-loading dates back to 1992. Every attack since was based on virus or computer worms. Within 35 years, those actions aimed at various purposes: military or terrorist sabotage, espionage, black-mailing … The total amount of attacks on energetic systems increased by 380% from 2014 to 2015.

Are grids prime targets?

With the current state of technology, electricicity grids appear as a strategic infrastructure to be particularly protected. Monitoring and control systems, be they regional or national, can also be targeted. The American Department of Energy underlines in a recent report that “in the current environment, the U.S. grid faces imminent danger from cyberattacks”. Also concerned, Eurelectric just released the report “Enhancing Smart Grids Security in Europe”, which emphasises cybersecurity as now a major challenge in system operators’ business.
Damaging effects of major cyberattacks on electrical grids are actually well described in Marc Elsberg’s book “Black Out, Morgen ist zo spat” (2012).

Risks of attacks are regarded in the United States as so essential that protection strategy now falls under the responsibility of the US Secretary of Defense instead of the Secretary of Energy. A similar approach was taken in France wherethe information systems for critical national infrastructures (SIIV) of the grid are subject to the Military Planning Act (LPM). Those provisions demonstrate that cyberattacks falls under “war” regime rather than ordinary law.

In this context, the functioning of the energy industry, and especially the electric sector, significantly changes, notably in terms of both technological infrastructures and Business to Client relationships.

This change relies on the digitalization of all processes and on the treatment of ever-growing data flows, also called data management. The next step of this transition in the coming years is the connection to the communication networks of billions of devices, also called Internet of Thing (IoT)

If assessing the increasing level of risk – both in coverage and impact – related to those developments remains difficult, electric systems clearly face a period of high-alertness to preserve their resilience in the face of various malicious acts. In this regard, the effort shall be shared since it goes beyond the responsibility of companies in charge of the infrastructures: national and European public authorities must keep these developments under review to ensure that the regulatory, legislative and coercive framework is appropriate to fight relentlessly cyber criminality.