Introduction
The rapid digitalization of the global community has introduced significant benefits and serious risks. According to Jarmakiewicz et al. (2017), the emerging security challenges are conditioned by the continuous integration of vital power resources into the global telecom network. Specifically, this tendency has added intangible dimension to the security of the energy sector. In addition to the physical functioning of a nation’s power grid, the Information Technology (IT) aspect is equally to be considered. The benefits of digitalization are expected to make energy more efficient, accessible, controlled, and affordable. However, large-scale cyberattacks often paralyzed the functioning of the digital-dependent power grids, nearly outweighing the advantages of the IT-based approach. For example, in December of 2015, the capital of Ukraine saw a major six-hour blackout that disrupted life in the city. Sullivan and Kamensky (2017) refer to this case as an ultimate lesson showing the vulnerability of the world’s energy sectors. Indeed, the stable energy supply is the foundation for the normal functioning of American society. The essential nature of the U.S. energy sector makes it a target for international cyberattacks, and new, improved cybersecurity infrastructure needs to be developed urgently.
The Issue of Cyberattacks on the Energy Sector
Cybersecurity is a critical topic in the global energy supply network because cyberattacks pose significant damage to various domains of modern life. Cybersecurity can be defined as protecting cyberspace, the infrastructure that stores and transfers information, from malicious cyberattacks (Leszczyna, 2019). Methods of cyberattacks include phishing, attacking exposed servers, social engineering, piggybacking the virtual private network, overcoming firewalls, and compromising domain controllers (Ani et al., 2017). Malicious attacks to this sector can be aimed at disrupting or changing the smart grid resources and non-specific attacks that extract data without altering it, active and passive, respectively (Massel & Gaskova, 2018; Mengidis et al., 2019). Moreover, the complexity and interconnectedness of the current infrastructure in the U.S. make it vulnerable even to minor attacks because the disruption of one element can lead to the disturbance of the entire system (United States Government Accountability Office, 2021). For example, an accidental power disruption on a chemical plant in Plaquemine, LA, in 2016 caused chlorine release into the environment (McGreight, 2018). Intentionally caused blackouts on such plants by cyberattacks can lead to catastrophic outcomes for citizens, putting the normal functioning of American society at risk.
Power interruption can threaten the national security of the country, communications, transportations, and healthcare. Indeed, the energy sector is at greater risk of active attacks, including hybrid attacks, coordinated attacks, and Advanced Persistent Threats (Leszczyna, 2019). Examples of potential cyber threats for power grids are unauthorized access to electricity consumption measurements, altering the schedule of the power-generating unit, and electricity market attacks (Dagoumas, 2019). However, the most significant danger is imposed on Industrial Automation and Control Systems (IACS), the core element of the smart grid that controls operations between a center and distant site (Leszczyna, 2019). The weaknesses of IACS include the use of hardcoded passwords, ladder logic, and the absence of authentication, which make the smart grid components vulnerable to cyber-invasion (Leszczyna, 2019). The dimensions of the U.S. energy sector are vast, consisting of 7,000 power plants and millions of small electricity distributions lines, making it the potential target for future attacks (Smith, 2021). Therefore, examples from other countries should be analyzed to develop a coordinated response and prevent similar situations in the American energy sector.
Examples of Cyberattacks in the U.S. and Globally
Organizations and governments worldwide are concerned with the cybersecurity issue in the energy sector. Although mass casualty incidents such as shootings and explosions are threatening and can cause thousands of lives to be lost, cyberattacks are equally damaging for people (Hodgson, 2021). For example, according to the Center for Strategic and International Studies (CSIS) (n.d.), North Korean malware was detected in Indian power plants in October 2019. Another example is the espionage campaign against Vietnamese energy and defense sectors reported by researchers in September 2019 (CSIS, n.d.). Eastern European hackers were found to breach the security of energy sectors in several developed countries in July 2014 (CSIS, n.d.). Moreover, more than 200,000 Ukrainians were left without electricity because of the 2015 cyberattack on three power grids (De Peralta et al., 2020). Moreover, a technical alert was released by the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) in March 2018 about Russian cyberattacks against American energy, aviation, water, manufacturing, and nuclear sectors (CSIS, n.d.). The FBI released a similar warning one year prior, demonstrating that various American industries are at high risk of external attacks in cyberspace.
One of the cyberattacks violated the integrity and confidentiality of several Norwegian companies. Specifically, Norway announced that ten of its energy corporations were subjected to hacker attacks in 2011, resulting in the leak of confidential information (CSIS, n.d.). According to CSIS (n.d.), the cyberattacks employed an email phishing scheme to gain access to internal usernames and passwords, industrial data, and private documents. Although the exact motivation and responsible parties for these accidents were not identified, this event showed the unpreparedness of the Norwegian defense system for cyberattacks. The incidence of these attacks will likely increase because the advancement of technologies resulted in the rapid development of cyberthreats, expanding the possibilities for hackers to retrieve confidential information for malicious purposes.
Importance of Cybersecurity in the Energy Sector
The energy sector’s vulnerability to cyberattacks poses a tremendous risk to the country’s economy and people’s lives. Indeed, the concern about this issue started to rise in the U.S. earlier this year because the cyberattack blocked gasoline and jet fuel pipelines on the East Coast (Smith, 2021). Furthermore, it cost more than a $4 million loss for the company to restore the system (Smith, 2021). Although this accident was not the first cyberattack on the energy sector in the U.S., it was the most scandalous. Indeed, the digitalization of industry made control and management more convenient but vulnerable to cyber threats. Since energy demands are growing, it is essential to develop appropriate protection against these cyberattacks that can cause blackouts in small regions and entire states. For example, a blackout in Ukraine in December 2015 was caused by infection of energy systems with a Russian malware program, resulting in a six-hour disruption in power supply to thousands of citizens (Cassotta & Sidortsov, 2019; Jarmakiewicz et al., 2017). Similar attacks to the United States can jeopardize its security; therefore, energy corporations should collaborate with DHS and the FBI to prevent cyberattacks.
Public-Private Partnerships
The concept of public-private partnership or P3 plays an essential role in infrastructure protection. Specifically, it is crucial in critical infrastructure assurance (CIA) and critical infrastructure protection (CIP) (Radvanovsky & McDougall, 2018). The P3 concept is complex because it also involves financial relationships, maintenance, and delivery of various services and operations (Radvanovsky & McDougall, 2018). Furthermore, the public and private sectors are known to have different philosophies and goals, further twisting this term (Radvanovsky & McDougall, 2018). Still, this collaboration enables proper protection from data leaks and strengthens the cybersecurity of critical infrastructure systems (Venkatachary et al., 2020). Moreover, the cooperation of private entities and federal agencies can “increase the effectiveness of cyberspace” (Venkatachary et al., 2020, p. 273). Indeed, knowledge sharing is probably a more critical aspect of P3 than technical and monetary relationships.
Vulnerability Assessment
The surveillance of various sectors for potential security problems in their systems helps prevent serious cyberattacks. For example, the National Infrastructure Protection Plan was developed to assess threats in cyberspace and provide assistance in recovery after malware programs’ attacks (Cybersecurity & Infrastructure Security Agency [CISA], n.d.a). The agency developed this voluntary monitoring to help public and private organizations detect a breach in their cybersecurity (CISA, n.d.a). Furthermore, the four primary services are provided by the Protection Plan: security assessment, infrastructure survey tool (IST), infrastructure visualization platform (IVP), and regional resiliency assessment program (RRAP) (CISA, n.d.a). For example, IST is a web-based survey for security gaps identification, IVP collects visual information, and RRAP assesses infrastructure to provide better P3 options (CISA, n.d.a). Indeed, the agency’s activity is critical for protecting the integrity of the U.S. infrastructure. Still, to reduce future risks, more effort is required at the federal level. Specifically, Rosson et al. (2019) suggest that the situation requires a strong and coordinated response through data sharing and cybersecurity infrastructure rebuilding. Therefore, the latest anti-hacking instruments need to be applied to protect the energy sector, including firewalls and other detecting systems.
Cybersecurity Standards
The guidelines for standard security requirements of smart grids and their components were developed. Indeed, the main objectives of cybersecurity are providing assets, integrity, and confidentiality (Leszczyna, 2019). The security system requirements can be divided into three broad categories: primary or functional, secondary or supportive, and assurance (Leszczyna, 2018). The primary category is privacy, integrity, and authentication, while secondary security services are needed for cryptography and anomaly detection (Leszczyna, 2018). As the name suggests, assurance is focused on training personnel, monitoring, and strategic planning (Leszczyna, 2018). Cybersecurity specifications for the smart grid include removing dispensable software, firewalls, account management, secure coding practices, reporting and correcting flaws, protection from malware, end devices, remote access, and network segregation (Leszczyna, 2018). The documents with recommended smart grid parameters were published to ensure universal access to information about security standards.
The U.S. Approach to the Problem
The United States is strengthening the cybersecurity field; thus, it may be protected in the future due to greater attention to this issue today. According to Kline (2021), the U.S. has the largest interconnected grid in the world. Such dimensions pose severe threats for the country’s national security, as any disruptions of the energy framework compromise the safety of its residents. Furthermore, it makes the production and supply sector of the United States subject to high risks of foreign cyberattacks. Therefore, investing resources into this field is crucial because cyberattacks on power grids can disrupt the normal functioning of critical infrastructure for hours to weeks (Carter & Sofio, 2017). Indeed, the 2002 Homeland Security Act gave DHS the mandate to control American cybersecurity (Carter & Sofio, 2017). The U.S. approach to managing these issues implies adhering to the innovation strategy, which distinguishes the country from other states promoting obsolete protection principles. Moreover, approximately $100 million was provided to the Office of Cybersecurity after the 2017 massive hacking of electricity corporations (McGreight, 2018). Overall, changing focus from other countries and emphasizing domestic issues can improve resilience to such threats.
Possible Solutions to the Problem
The rapid advancement of technologies increased the possibilities for manufacturing management. Still, it posed a greater risk for cyber threats that also develop at the same pace, complicating prediction models for new attacks. According to Dagoumas (2019), the cybersecurity aspect of the power system should exceed the hacking tools’ development pace and should not be compromised in favor of operational cost-efficiency. Therefore, the first logical step towards improving cyber-protection is making more extensive investments in this field (McGreight, 2018). The next solution that can prevent blackouts in large areas caused by cyberattacks on power grids is the distribution of energy resource generation by photovoltaics, natural gas turbines, and diesel generators (McGreight, 2018). Moreover, cyberattacks can be prevented by constant high-risk and detailed assessments to identify general and specific threats (Leszczyna, 2019). One of the most practical approaches for electricity companies to mitigate risks in cyberspace is a collaboration with Computer Emergency Response Teams and cybersecurity platforms (Leszczyna, 2019). Indeed, these organizations can provide thorough cybersecurity monitoring and protection.
Information Sharing and Analysis Centers
International cyberspace cooperation resulted in creating specialized cybersecurity data sharing platforms for the public and private sectors. Specifically, these platforms are called Information Sharing and Analysis Centers (ISACs), developed worldwide as non-profit organizations (Leszczyna, 2019). The primary purpose of ISACs is to gather, evaluate, and share data about cyberthreats in real-time (CISA, n.d.b). Moreover, the federal government passed the law on cybersecurity information sharing in 2015 that ensures legal protection of institutions participating in cybersecurity information exchange (CISA, n.d.b). The two most known platforms in the energy sector are European Energy (EE-ISAC) and the U.S. Electricity (E-ISAC), which aim to improve the cyber-protection of power grids in Europe and North America, respectively (Leszczyna, 2019). Similar organizations exist in other fields, including aviation, financial services (FS-ISAC), and healthcare (CISA, n.d.b). FS-ISAC focuses on collecting data on cyber threats in the financial sector worldwide (CISA, n.d.b). Although EE-ISAC and E-ISAC are dedicated to information sharing, their contribution to knowledge exchange in energy field cybersecurity is limited because of the confidential nature of some data. Conversely, FS-ISAC plays a significant role in global cybersecurity in the area of finances.
Future Perspectives
Despite the collective effort to prevent cyberattacks in the energy sector, many corporations and society’s normal functioning that is tightly dependent on electricity remains at risk for disruption. The recent blackouts and disruptions caused by infection of smart grids with malware programs in Ukraine and many other countries demonstrated the extent of cybersecurity issues in this field (Sullivan & Kamensky, 2017). Furthermore, these incidents cost millions of dollars for electricity companies to restore energy supplies and monitor future attacks (Leszczyna, 2019). Governments, for-profit, and non-profit organizations strive to combine their efforts in protecting power grids from malicious attacks in cyberspace through information-sharing platforms, like ISACs, vulnerability assessment, and continuous update of information security systems. Various standards were developed to improve the cybersecurity of the energy sector. Specifically, such cybersecurity measures as firewalls, cryptographic mechanisms, identification and authentication, anonymization mechanisms, and authorized access control are used to reduce cyberattacks (Leszczyna, 2019). Still, it is challenging to predict whether software and hardware quality will attain the point of absolute immunity to cyberattacks, but timely detection of threats can quickly mitigate the adverse consequences of these disruptions.
Conclusion
To summarize, cybersecurity in the energy sector is a critical topic that requires continuous improvement because of the constant update and advancement of cyber threats. Computers can perform complex calculations in a matter of seconds, alleviating the pressure on human operators. However, cyberattacks on the energy infrastructure can cause major blackouts and power interruption, making them a threat of a colossal magnitude to the economy, defense, and healthcare. For example, power disruption in Ukraine caused by malware programs left thousands of citizens without electricity for hours. A cyberattack of the U.S. East Coast gasoline pipeline led to blockage of fuel delivery in this region and required substantial financial expenditures to restore the system. Therefore, constant modification of firewalls is essential for preventing significant cyberattacks. Furthermore, collaboration and information exchange between public and private sectors on cyberattacks and system vulnerabilities can significantly improve cybersecurity in the infrastructure. Overall, cybersecurity of the energy sector is a dynamic field in which threats and protection develop at an accelerated pace. Thus, it is hard to foresee if smart grids will be modified to the point of complete resilience to cyberattacks.
References
Ani, U. P. D., He, H. M., & Tiwari, A. (2017). Review of cybersecurity issues in industrial critical infrastructure: Manufacturing in perspective. Journal of Cyber Security Technology, 1(1), 32-74.
Carter, W. A., & Sofio, D. G. (2017). Cybersecurity legislation and critical infrastructure vulnerabilities. In M. J. Alperen (Ed.), Foundations of homeland security: Law and policy (2nd ed., pp. 233-250). John Wiley & Sons.
Cassotta, S., & Sidortsov, R. (2019). Cybersecurity in the energy sector: Are we really prepared? Journal of Energy & Natural Resources Law, 39(3), 265-270.
Center for Strategic and International Studies. (n.d.). Significant Cyber Incidents Since 2006.
Cybersecurity & Infrastructure Security Agency. (n.d.a). Critical infrastructure vulnerability assessments. Web.
Cybersecurity & Infrastructure Security Agency. (n.d.b). Information sharing and awareness. Web.
Dagoumas, A. (2019). Assessing the impact of cybersecurity attacks on power systems. Energies, 12(4), 1-23.
De Peralta, F. A., Gorton, A. M., Watson, M., Bays, R. M., Castleberry, J. E., Boles, J. E., Gorton, B. T., & Powers, F. E. (2020). Framework for identifying cybersecurity vulnerability and determining risk for marine renewable energy systems. Pacific Northwest National Laboratory. Web.
Hodgson, L. (2021). How violent attacks are changing the demands of mass casualty incidents: A review of the challenges associated with intentional mass casualty incidents. Homeland Security Affairs, 17(1), 1-45.
Jarmakiewicz, J., Parobczak, K., & Maślanka, K. (2017). Cybersecurity protection for power grid control infrastructures. International Journal of Critical Infrastructure Protection, 18, 20-33.
Kline, C. (2021). COVID-19 Highlights Best Emergency Preparedness Approach: Lead by Example. Journal of Homeland Security and Emergency Management, 18(2), 215-218.
Leszczyna, R. (2018). A review of standards with cybersecurity requirements for smart grid. Computers & Security, 77, 262-276.
Leszczyna, R. (2019). Cybersecurity in the electricity sector: Managing critical infrastructure. Springer Nature.
Massel, A., & Gaskova, D. (2018). Scenario approach for analyzing extreme situations in energy from a cybersecurity perspective. Industry 4.0, 3(5), 266-269.
McGreight, R. (2018). Grid collapse security, stability and vulnerability issues: Impactful issues affecting nuclear power plants, chemical plants and natural gas supply systems. Journal of Homeland Security and Emergency Management, 16(1).
Mengidis, N., Tsikira, T., Vrochidis, S., & Kompatsiaris, I. (2019). Blockchain and AI for the next generation energy grids: Cybersecurity challenges and opportunities. Information & Security, 43(1), 21-33.
Radvanovsky, R. S., & McDougall, A. (2018). Critical infrastructure (4th ed.). Taylor & Francis.
Rosson, J., Rice, M., Lopez, J., & Fass, D. (2019). Incentivizing cybersecurity investment in the power sector using an extended cyber insurance framework. Homeland Security Affairs, 15(2), 1-24.
Smith, D. C. (2021). Sustainable cybersecurity? Rethinking approaches to protecting energy infrastructure in the European High North. Energy Research & Social Science, 51, 129-133.
Sullivan, J. E., & Kamensky, D. (2017). How cyber-attacks in Ukraine show the vulnerability of the U.S. power grid. The Electricity Journal, 30(3), 30–35.
United States Government Accountability Office. (2021). Defense cybersecurity: Defense logistics agency needs to address risk management deficiencies in inventory systems.
Venkatachary, S. K., Prasad, J., Samikannu, R., Alagappan, A., & Andrews, L. J. B. (2020). Cybersecurity infrastructure challenges in IoT based virtual power plants. Journal of Statistics and Management Systems, 23(2), 263-276.