[ENERGY] SCADA security, a missing wheelwork of the industry

22 October has been designated as “World Energy Day” during the opening of the World Energy Forum in 2012. This initiative reminds us that energy is one of the major challenges of the 21st century. Indeed, for example, nearly 1.5 billion people are still without electricity. This figure poses a challenge for cooperation between developed and developing countries. In addition to the lack of infrastructure and financial resources to access this essential good, it seems relevant to highlight that access to energy resources is becoming increasingly dependent on new technologies. Indeed, with the development of smart grids and the introduction of renewable energy parks, the energy industry is exposed to new IT vulnerabilities. Blackouts sometimes occur as a result of power plant piracy, as was the case in Ukraine in December 2015 and 2016, targeted by the Black Energy and Industroyer malware respectively.

Industrial systems are often targeted by attackers. With the development of smart devices within the industry sector, electrical network are more vulnerable. A test conducted by Cybereason showed how easy it is to hack industrial control systems. Security researchers deployed a honeypot – a fake and vulnerable device to attract attackers – posing as a relay station owned by a major electricity supplier. Put online from July 17, 2019, it only took two days for an attacker to penetrate the network and install malicious tools to take control of the system.

Renewable energy networks are the most exposed. Designed with connectivity by design, they are very vulnerable to sabotage attacks. Solar and wind panels would even be particularly easy to hack, with cheap equipment such as a Raspberry Pi or a Wi-Fi antenna. In 2017, Dutch researcher Willem Waterhof discovered 21 vulnerabilities on smart solar inverters that transformed the direct current of the panels into alternating current supplied to the grid. In addition to the porosity of these networks, they are unfortunately poorly secured: lack of hardening (passwords stored in an unsecured way), absence of security tests upstream, absence of active antivirus software on workstations or the absence of security monitoring.

Faced with this situation, several countries are beginning to take concrete measures to strengthen the security of industrial systems. In France, the ANSSI (National Cybersecurity Agency of France) will issue safety certifications and qualifications for manufacturers. This approach responds to a growing need for security in the light of the new LPM (military programming law) regulations and represents a guarantee of confidence for the State, industrialists and individuals. An example to be followed at the global level.