Profile picture
(((Alex Gilbert))) @gilbeaq
, 38 tweets, 10 min read Read on Twitter
1. Energy system cyberattacks are rapidly emerging as an economic, reliability, and public safety risk domestically and internationally. Proactive cybersecurity actions by industry and governments can mitigate the most severe risks
2. To start, a basic question: what are cyber attacks? Cyber attacks are intentional, malicious, digital attempts to disrupt, compromise, or control computers or computer networks owned and operated by someone else csoonline.com/article/323732…
3. Cyber attacks take many forms, vary in their level of sophistication, and do not necessarily have to be successful to be considered a cyber attack rapid7.com/fundamentals/t…
4. In energy, there are several noteworthy types of attacks: denial of service, criminal theft, foreign espionage, industrial espionage, and industrial sabotage. Such attacks have occurred for decades, although the scale and pace escalated in the 2010s
5. Generally, when discussing energy cyber risks, there are two of networks to consider: business networks and control networks. The first four types of attacks above primarily focus on energy business networks
6. Cyber attacks against business networks are concerning. They can disrupt commercial operations, compromise company secrets or competitive information, provide reconnaissance control network attacks, wipe information, or lead to ransom demands greentechmedia.com/articles/read/…
7. In 2012, the Shamoon virus targeted the business networks of one of the the world’s largest oil companies, Saudi Aramco. The sophisticated virus wiped ¾ of Aramco’s corporate computers nytimes.com/2012/10/24/bus…
8. Beginning in 2008, Night Dragon attacks began targeting oil, energy, and petrochemical companies with the “apparent intent of stealing sensitive information such as operation details, exploration research, and financial data” mcafee.com/us/about/night…
9. Business network attacks pose financial risks to individual companies. Not to understate the risk, they can be annoying but not dangerous. However, when it comes to energy, cyber attacks against controls networks pose major reliability and public safety concerns
10. Industrial Control Systems (ICS) are computer networks used to digitally control the operations of real-world physical assets. SCADA is a type of ICS trendmicro.com/vinfo/us/secur…
11. Due to their impact on physical systems, cyber attacks on ICS pose significant risks to industry operations. When an attacker controls a physical asset, they can operate that asset in a way that physically damages either the asset or the broader system (excerpt from @energy)
12. Any major part of the energy industry supply chain that uses ICS and is connected to the internet is potentially vulnerable. While public focus is often on the electric grid, ICS attacks can compromise nuclear, natural gas, oil, coal, biomass, and other energy sectors
13. Indeed, one of the most infamous computer attacks in history, Stuxnet, specifically targeted Iranian dual-use nuclear centrifuges in attempt to sabotage Iran’s nuclear weapons programs csoonline.com/article/321810…
14. ICS attacks on non-electric sectors can cause significant damage, threaten worker and public safety, and (somewhat) disrupt energy markets
15. Its worth noting that control systems for nuclear power plants are NOT at risk of external cyber intrusions causing meltdowns. These systems are islanded – not connected to the internet. Cyber meltdowns only belong in fiction: 24.wikia.com/wiki/San_Gabri…
16. Nevertheless, when it comes to energy ICS cybersecurity, cyber risks to the electric grid and pipelines. Why? Because a successful attack can potentially disrupt energy delivery or service for a large geographic area everycrsreport.com/files/20170828…
17. Unlike other energy sectors, electricity is unique because it can't be stored in quantity for a long time. The grid is an instantaneous system that connects thousands of generators to millions of customers. This machine can collapse with (relatively) small acts of sabotage
18. In 2015 and 2016, a series of cyber attacks interrupted electric service in Ukraine. The sophisticated attacks targeted the ICS of electric substations. Hundreds of thousands lost service for an hour or more wired.com/2016/03/inside…
19. (this attack is really important to understanding electric sector risks, so check out this piece for a more in-depth look at how it happened: zdnet.com/google-amp/art…)
20. Transmission, not generation, is the main source of reliability issues in electricity. Transmission infrastructure is therefore a particular target for any entity seeking to disrupt electric reliability. The ability to disrupt service scales with attacker sophistication
21. Similarly, pipeline systems are an Achilles heel for the natural gas industry. Although natural gas can be stored, it requires a vast system of pipelines to deliver gas to end-use customers. Small disruptions can reverberate (esp into electric markets)
22. Earlier this year, a cyber attack on a major energy vendor caused multiple pipeline companies to shut down due to compromised communication systems bloomberg.com/news/articles/… An ICS attack on pipelines could disrupt service in winter time, a very dangerous situation
23. A complex, sophisticated cyber attack against the electric grid and/or natural gas pipelines could cause significant service disruptions, threaten economic growth, and undermine public safety
24. In severe cases, it could undermine the US military, which depends on commercial energy markets for domestic bases defensenews.com/pentagon/2017/…
25. Considering these risks, how do we address cyber attacks? Through cybersecurity, criminal law, and international treaty
26. Cybersecurity for the energy sector sector is relatively straightforward. Best practices for business and control networks and active cyber defense. As @kidcongo put it, “make better passwords”. Or me - "Don't be Podesta" pubs.naruc.org/pub/66D17AE4-A…
27. In the US, NERC’s Critical Infrastructure Protection standards provide clear requirements for the electric grid velaw.com/uploadedfiles/… Generally, as long as these standards are adhered to, companies can avoid the most severe ICS attacks
28. While the US may be forward looking in addressing energy cybersecurity concerns, other countries may not have the capabilities. Even if we manage our risks, our allies and other countries will still be exposed. Thus assisting global energy cybersecurity is a key US priority
29. That said, its not even clear to what degree businesses or governments should have ultimate responsibility dealing with cyber issues. If a foreign country is threatening US security via the electric grid, should ratepayers bear the cost? cip.gmu.edu/2016/06/07/cyb…
30. This is exacerbated by the nature of cyber risks. Cyber attacks are unique conflict vectors because of two attributes: they are an asymmetric weapon and they are difficult to attribute
31. Cyber attacks are asymmetric because they enable a less capable adversary to deliver substantial damage beyond what their capabilities normally allow. They enable countries or even non-state actors to attack a more country like the US worldview.stratfor.com/article/hackin…
32. Indeed, the asymmetric nature of cyber threats are so severe, the US now needs to consider whether a less technologically capable adversary would target the US homeland during wars warontherocks.com/2018/04/war-pl… (hint, Iran and NK have the capability)
33. Cyber threats are also difficult to address because attribution is not straightforward. Its probably not a 400 pound guy but that doesn't mean it is Russia wired.com/2016/12/hacker…
34. In practice, an unattributed cyber attack can thus be either a criminal act or an act of war digitalcommons.law.yale.edu/cgi/viewconten…
35. Both domestic and international law may apply lawfareblog.com/how-should-int… Facially, an attack on another countries electric grid is a clear act of war under international law, if it can be successfully attributed
36. Further, as an attack on energy systems is inherently an attack on civilian infrastructure, energy cyber attacks may be prohibited under the Geneva Conventions. Enforcement and deterrence only work with attribution, however
37. The best long-term solution to cyber threats is just to agree not to do them. The US and other countries should work together to develop an international norm, if not a new treaty, to mitigate the greatest risks (end)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to (((Alex Gilbert)))
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!