The fourth industrial revolution, also known as Industry 4.0, refers to the ongoing automation of traditional manufacturing and industrial practices, using modern smart technology that has the potential to analyse and diagnose issues without the need for human intervention. The interconnected nature of industry 4.0–driven operations, along with the acceleration of digital transformation initiatives, has increased cyber security risks, and Utility spoke to Professor Ryan Ko, Chair and Director of Cyber Security at the University of Queensland, about how utilities can effectively prevent and mitigate cyber attacks.
According to Professor Ko, cyber attacks are increasing at a rate never experienced before and will continue to rise.
“For example, on a global scale, there is a new and unique malware created every half a second. On the other hand, most of the cyber response and threat intelligence mechanisms are manual based,” Professor Ko said.
“Evidently, the scale and volume of emerging new threats in comparison to the inadequate speed and effectiveness of responses means that the cyber criminals actually have an upper hand.”
Professor Ko explained that two types of malware are pertinent to utilities.
“The first type of malware would be ransomware, which results in infected computing systems getting ‘locked’ cryptographically, resulting in no user access to important systems and files until a ransom is paid to the criminals,” Professor Ko said.
“Today, ransomware infects computers mostly via two avenues: phishing emails or data breaches. While phishing-based ransomware is well-known to the public, the more recent and large-scale attacks on prominent critical infrastructure mostly stem from data breaches, where organisations’ logins and passwords were previously leaked online by hackers, and are reused by ransomware criminals in an attempt to gain access to key systems.
“This is why a regular change of passwords and the use of multi-factor authentication is encouraged. “The second type is malware that targets Operational Technology (OT) equipment such as programmable logic controllers (PLC) or human-machine interfaces (HMI), or network (or internet) connections to this OT equipment.
“This type of malware aims to affect the integrity and availability of the data and signals. An example would be the Stuxnet malware discovered in 2010, which resulted in the Iranian nuclear enrichment control equipment being slowed down without getting detected – damaging the nuclear program of Iran.
“While not every system runs nuclear facilities, the types of control equipment affected are also the same types which control other critical infrastructure such as utilities. “In the past two decades, we have seen an increase in remote management of control systems located across multiple plants or sites, and with that convenience comes the ability for hackers to access these systems via the internet.
“Since most OT configurations and on-site setups are performed by integrators, contractors or automation or control engineers who are not trained in cyber security awareness or expertise, utilities can be configured for remote site management with little consideration for cyber security threats (e.g. no password protection or plaintext data sent between systems).”
Utilities are prime targets for attacks as they are vital for essential services and are highly sensitive to business continuity risks. Professor Ko commented that for every cyber threat, it is important to consider the actor, motivation and vulnerabilities of the system.
“For example, OT malware is usually launched by opportunistic cyber criminals targeting large organisations one at a time, or worse, nation states which aim to control other nations’ critical infrastructure. In 2015, cyber attacks caused power cuts to parts of the Ukrainian capital Kiev, and in 2016, similar attacks were repeated.”
Robust cyber security became more important than ever during the COVID-19 pandemic, with the need for physical distancing accelerating utility digital transformation strategies and priorities, as well as amplifying the risk and security threats related to remote working.
With levels of remote working likely to remain higher than they were pre-COVID, utilities may need to ‘reset’ some of their cyber security protocols and policies.
“With the increase in work-from-home arrangements, the attack surfaces criminals can get access to have massively expanded. Most employees do not really focus on, or are unaware of, how to achieve enterprise-level security at their homes,” Professor Ko said.
“At the same time, employers have no rights to access or ensure that the employees’ home broadband networks are secure to the level of the organisations’ baselines or policies. This introduces a grey area of cyber security responsibilities– which cyber criminals would thrive on.
“As such, companies need to ensure that the staff remotely managing sites or critical information have the appropriate technical support and advice about protecting all aspects of their work-from-home environment.
“Utilities should also consider conducting a thorough security and risk assessment of their current IT and OT environments, and how these environments are remotely managed. The exercise will reveal potential areas of vulnerabilities, and utilities can then address the vulnerabilities directly.
“If required, utilities could offer to help to secure the home networks of the key roles/employees managing assets remotely, or set strict policies and restrictions around access. There should also be cyber awareness campaigns targeted at all utility staff about the dangers of phishing, account compromise and many other threats – with an aim of improving their ‘cyber hygiene’.”
Developing new techniques for detecting vulnerabilities
Professor Ko is leading the research on cyber resilient energy systems as part of a new Industry 4.0 Energy TestLab facility at the University of Queensland (UQ).
Launched in November 2020, the UQ Industry 4.0 Energy TestLab – established in partnership with Siemens and with funding support from the Australian Government –will enhance global knowledge on electricity networks by focusing on power and energy system analytics, microgrid control, energy management and cyber-physical systems security.
“The Industry 4.0 UQ Energy Testlab provides a ‘digital twin’ for researchers, the industry and the government to research cyber and energy resilience challenges, and develop training material for collaborating partners,” Professor Ko said.
“This is made possible as UQ, with its energy neutrality goals, is one of the few universities in the world which has a full range of renewable energy generation (e.g. solar farms at Warwick and Gatton), digitised building management systems, a large array of Tesla batteries and the range of energy equipment at the TestLab.
“The combination of the energy supply and consumption scenarios across UQ’s campuses (e.g. lecture theatres, offices, student accommodation) offer a simulation of smart cities.
“As a digital twin, the UQ Energy TestLab provides Australian researchers with a platform to conduct experiments and invent new cyber security techniques without needing to affect any actual operating utilities or plants.
“This TestLab also trains a new generation of cyber experts who have the abilities and knowledge to protect critical infrastructure, and empowers evidence-based policy making in the energy space.
“In the first few months since the TestLab’s establishment, our researchers have already discovered and reported critical infrastructure vulnerabilities to vendors and integrators, and developed novel techniques for automated vulnerability detection.”
The UQ facility is part of a national network of Industry 4.0 TestLabs, which came about through the strategy and work of the Industry 4.0 Task Force. The six Australian universities aim to provide industries and businesses the support needed to transition and benefit from opportunities presented by the fourth industrial revolution.
Each university Industry 4.0 TestLab has a different focus area to help build complementary capability for Australia.
Professor Ko said that critical infrastructure cyber autonomy and automation – which involves teaching computers how to discover their own vulnerabilities and automatically patch or heal themselves – is the main research priority at the UQ Energy TestLab.
“This is logical since most cyber attacks are automated by criminals or state actors,” Professor Ko said.
“Since 2017, many security vendors have been introducing network automation programs with existing security information and event management (SIEM) tools as cyber autonomy. Others would label security ‘playbooks’ –hardcoded heuristics which script responses according to triggers or a combination of triggers – as automation.
“An example of a ‘playbook’ would be a pre-programmed workflow of actions responding to a variety of cyber-attacks (e.g. a response to a denial of service attack or a network port scan by an unknown source). However, these examples are still a distance from the true potential and vision for cyber autonomy.
“The ‘holy grail’ for cyber autonomy is that we can deter attacks and patch vulnerable computing systems in real time, at scale and without disruption to normal operation.
“The crux of this is the assumption that a computing system handles abstract and virtual executions, and hence has fewer physical limitations and boundaries for dynamic remediation.
“However, from a practical implementation viewpoint, this assumption does not hold strong ground. Software systems, particularly those running critical infrastructure, emergency services and 24/7 manufacturing, have very complex dependencies, and do not have the luxury to be turned off and patched during downtime due to their operational demands. For example, the software running a nuclear power plant should not be shut down abruptly.
“The dilemma between the need to patch system vulnerabilities and the need to maintain business or operational continuity also places pressure on software migration processes.
“Software migration (or modernisation) is the current practice of modernising software to a newer version. The interdependency of processes and software makes this a challenging change management process.
“Proponents of cyber autonomy would argue that with cyber autonomy, the need for systems (in particular, critical infrastructure systems) to be modernised would be reduced since the self-healing aspects of cyber autonomy will address vulnerabilities without disrupting business-as-usual.
“Clearly, there are still a lot of research challenges which need to be addressed before we achieve the true vision of cyber autonomy.”
An evolving threat landscape
To improve their cyber security capabilities and better withstand attacks, utilities need to prioritise security as a top business continuity risk, and ensure buy-in at the board and senior executive level.
Professor Ko explained that board members and senior executives need to understand that cyber threats are not just a concern for the technical colleagues in their organisations, but are the responsibility of all utility employees.
“A top-level focus will allow the utilities to implement thorough security protections, policies and increase investment into appropriate tools such as multi-factor authentication.
“Utilities should also consider the potential threat landscape in the next three to five years by actively engaging with cyber security computer scientists to understand emerging threats. They should work together on research that generates innovations which discover both known and unknown threats, before engaging vendors.
“There are several commonwealth and state government grants to seed such research. From time to time, they should also perform ‘red-teaming’ on their organisations, where a number of their employees attempt to identify policy, process and technology loopholes in their organisations.”
Cyber security is constantly evolving as new threats emerge. To better monitor and adapt to short- and long-term security trends, Professor Ko said that utilities must work with government agencies, such as the Australian Cyber Security Centre, and trusted vendors to develop a threat intelligence and information sharing program.
“They can also join incident response not-for-profit organisations such as AusCERT (Australian Cyber Emergency Response Team) as a member, and obtain threat intelligence and technical assistance,” Professor Ko said.
“It is also important that utilities monitor the statistics of top threats detected, and attempt to mitigate these threats using the Pareto principle. All stakeholders within the utility sector should also be holding sector-wide tabletop and simulation exercises to raise awareness and build information exchange opportunities.”