Profile picture
(((Alex Gilbert))) @gilbeaq
, 38 tweets, 10 min read Read on Twitter
1. Energy system cyberattacks are rapidly emerging as an economic, reliability, and public safety risk domestically and internationally. Proactive cybersecurity actions by industry and governments can mitigate the most severe risks
2. To start, a basic question: what are cyber attacks? Cyber attacks are intentional, malicious, digital attempts to disrupt, compromise, or control computers or computer networks owned and operated by someone else csoonline.com/article/323732…
3. Cyber attacks take many forms, vary in their level of sophistication, and do not necessarily have to be successful to be considered a cyber attack rapid7.com/fundamentals/t…
4. In energy, there are several noteworthy types of attacks: denial of service, criminal theft, foreign espionage, industrial espionage, and industrial sabotage. Such attacks have occurred for decades, although the scale and pace escalated in the 2010s
5. Generally, when discussing energy cyber risks, there are two of networks to consider: business networks and control networks. The first four types of attacks above primarily focus on energy business networks
6. Cyber attacks against business networks are concerning. They can disrupt commercial operations, compromise company secrets or competitive information, provide reconnaissance control network attacks, wipe information, or lead to ransom demands greentechmedia.com/articles/read/…
7. In 2012, the Shamoon virus targeted the business networks of one of the the world’s largest oil companies, Saudi Aramco. The sophisticated virus wiped ¾ of Aramco’s corporate computers nytimes.com/2012/10/24/bus…
8. Beginning in 2008, Night Dragon attacks began targeting oil, energy, and petrochemical companies with the “apparent intent of stealing sensitive information such as operation details, exploration research, and financial data” mcafee.com/us/about/night…
9. Business network attacks pose financial risks to individual companies. Not to understate the risk, they can be annoying but not dangerous. However, when it comes to energy, cyber attacks against controls networks pose major reliability and public safety concerns
10. Industrial Control Systems (ICS) are computer networks used to digitally control the operations of real-world physical assets. SCADA is a type of ICS trendmicro.com/vinfo/us/secur…
11. Due to their impact on physical systems, cyber attacks on ICS pose significant risks to industry operations. When an attacker controls a physical asset, they can operate that asset in a way that physically damages either the asset or the broader system (excerpt from @energy)
12. Any major part of the energy industry supply chain that uses ICS and is connected to the internet is potentially vulnerable. While public focus is often on the electric grid, ICS attacks can compromise nuclear, natural gas, oil, coal, biomass, and other energy sectors
13. Indeed, one of the most infamous computer attacks in history, Stuxnet, specifically targeted Iranian dual-use nuclear centrifuges in attempt to sabotage Iran’s nuclear weapons programs csoonline.com/article/321810…
14. ICS attacks on non-electric sectors can cause significant damage, threaten worker and public safety, and (somewhat) disrupt energy markets
15. Its worth noting that control systems for nuclear power plants are NOT at risk of external cyber intrusions causing meltdowns. These systems are islanded – not connected to the internet. Cyber meltdowns only belong in fiction: 24.wikia.com/wiki/San_Gabri…
16. Nevertheless, when it comes to energy ICS cybersecurity, cyber risks to the electric grid and pipelines. Why? Because a successful attack can potentially disrupt energy delivery or service for a large geographic area everycrsreport.com/files/20170828…
17. Unlike other energy sectors, electricity is unique because it can't be stored in quantity for a long time. The grid is an instantaneous system that connects thousands of generators to millions of customers. This machine can collapse with (relatively) small acts of sabotage
18. In 2015 and 2016, a series of cyber attacks interrupted electric service in Ukraine. The sophisticated attacks targeted the ICS of electric substations. Hundreds of thousands lost service for an hour or more wired.com/2016/03/inside…
19. (this attack is really important to understanding electric sector risks, so check out this piece for a more in-depth look at how it happened: zdnet.com/google-amp/art…)
20. Transmission, not generation, is the main source of reliability issues in electricity. Transmission infrastructure is therefore a particular target for any entity seeking to disrupt electric reliability. The ability to disrupt service scales with attacker sophistication
21. Similarly, pipeline systems are an Achilles heel for the natural gas industry. Although natural gas can be stored, it requires a vast system of pipelines to deliver gas to end-use customers. Small disruptions can reverberate (esp into electric markets)
22. Earlier this year, a cyber attack on a major energy vendor caused multiple pipeline companies to shut down due to compromised communication systems bloomberg.com/news/articles/… An ICS attack on pipelines could disrupt service in winter time, a very dangerous situation
23. A complex, sophisticated cyber attack against the electric grid and/or natural gas pipelines could cause significant service disruptions, threaten economic growth, and undermine public safety
24. In severe cases, it could undermine the US military, which depends on commercial energy markets for domestic bases defensenews.com/pentagon/2017/…
25. Considering these risks, how do we address cyber attacks? Through cybersecurity, criminal law, and international treaty
26. Cybersecurity for the energy sector sector is relatively straightforward. Best practices for business and control networks and active cyber defense. As @kidcongo put it, “make better passwords”. Or me - "Don't be Podesta" pubs.naruc.org/pub/66D17AE4-A…
27. In the US, NERC’s Critical Infrastructure Protection standards provide clear requirements for the electric grid velaw.com/uploadedfiles/… Generally, as long as these standards are adhered to, companies can avoid the most severe ICS attacks
28. While the US may be forward looking in addressing energy cybersecurity concerns, other countries may not have the capabilities. Even if we manage our risks, our allies and other countries will still be exposed. Thus assisting global energy cybersecurity is a key US priority
29. That said, its not even clear to what degree businesses or governments should have ultimate responsibility dealing with cyber issues. If a foreign country is threatening US security via the electric grid, should ratepayers bear the cost? cip.gmu.edu/2016/06/07/cyb…
30. This is exacerbated by the nature of cyber risks. Cyber attacks are unique conflict vectors because of two attributes: they are an asymmetric weapon and they are difficult to attribute
31. Cyber attacks are asymmetric because they enable a less capable adversary to deliver substantial damage beyond what their capabilities normally allow. They enable countries or even non-state actors to attack a more country like the US worldview.stratfor.com/article/hackin…
32. Indeed, the asymmetric nature of cyber threats are so severe, the US now needs to consider whether a less technologically capable adversary would target the US homeland during wars warontherocks.com/2018/04/war-pl… (hint, Iran and NK have the capability)
33. Cyber threats are also difficult to address because attribution is not straightforward. Its probably not a 400 pound guy but that doesn't mean it is Russia wired.com/2016/12/hacker…
34. In practice, an unattributed cyber attack can thus be either a criminal act or an act of war digitalcommons.law.yale.edu/cgi/viewconten…
35. Both domestic and international law may apply lawfareblog.com/how-should-int… Facially, an attack on another countries electric grid is a clear act of war under international law, if it can be successfully attributed
36. Further, as an attack on energy systems is inherently an attack on civilian infrastructure, energy cyber attacks may be prohibited under the Geneva Conventions. Enforcement and deterrence only work with attribution, however
37. The best long-term solution to cyber threats is just to agree not to do them. The US and other countries should work together to develop an international norm, if not a new treaty, to mitigate the greatest risks (end)
unroll @threadreaderapp
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to (((Alex Gilbert)))
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @gilbeaq see all

Profile picture
1. The recenty claim by @ShellenbergerMD that wind and solar increase electricity prices is misleading and incomplete, if not outright incorrect. His analysis emphasizes correlation over causation, confuses past studies with future expectations, and is limited to 1 type of price
2. The two piece’s I’m critiquing here: forbes.com/sites/michaels…

and here: forbes.com/sites/michaels…
3. As I understand it, the @ShellenbergerMD hypothesis is that adding solar and wind power increases electricity prices because of an unspecified mix of intermittency, more expensive transmission costs, and other physically-caused increased system costs
Read 25 tweets

Related threads

Profile picture
Hi guys! @AtteHarjanne and me just published a paper "Abandoning the concept of #renewable #energy" at Energy Policy. In it, we argue that the concept of #renewableenergy (RE) is outdated. 1/

First, a link to the paper that should work until Feb 14:

sciencedirect.com/science/articl…
What we argue here is that using what is basically a 1970s-era definition of renewable energy, and conflating "renewable" with "sustainable" or even "clean," is becoming more a hindrance than a help in meeting the main challenge of the early 2000s - #climatechange . 2/
We argue that the concept of RE was largely set in stone well before the magnitude of #climate challenge, and actual problems with some sources that are technically renewable, was understood. This has resulted to, e.g., using the "renewable" label to cover all bioenergy. 3/
Read 9 tweets
Profile picture
(1) Thread #4: Mass illegal immigration attempts on the US Southern border.

Caravans through Mexico will always be with us, certainly long after 2018 midterms. The current ones are different... the strongest response is needed.

Directory of threads:
(2) The strong response being formed now will reduce size/frequency of future caravan attempts. The eventual #EndCatchAndRelease, #FinishTheWall & other actions by the incoming congress will allow the military deployments to end.

#VoteGOP has never been more necessary.
(3) Essential reading about the caravans:

dhs.gov/news/2018/11/0…
Read 39 tweets
Profile picture
Why do we keep falling short on #carbon pricing? (And what to do about it)

A thread on how policy can accelerate the pace of progress towards a low-carbon #energy system commensurate with the threat posed by #climatechange...
Putting a price on carbon.

The IPCC report on holding global warming to 1.5°C released Sunday calls for it. A share of the Nobel in Economics was awarded to William Nordhaus this week for championing it. It's arguably the most efficient and powerful climate policy available.
So why do governments around the world keep falling short on carbon pricing, and how can break this logjam? I discussed these challenges with the @NYTimes @BradPlumer in an article appearing in yesterday's paper. nytimes.com/2018/10/08/cli…
Read 27 tweets
Profile picture
Today much of the world's population lives safer, more comfortable, healthier, longer, more productive lives than ever before. And yet, around half of the global population currently lacks access to enough electricity, and 1.2bn people have no access at all. #IPCC 1/n
Global electricity access is rising, which is improving the lives of millions. But this means our decarbonisation challenge is even greater, since we not only have to replace our entire fossil fuel infrastructure, but probably double it to meet rising global energy demand. #IPCC
The question is where will this energy to come from? A: Right now, mainly from #coal. #IPCC
Read 25 tweets
Profile picture
“SINCE...........2008”

A THOROUGH COMPENDIUM OF #FINANCIAL #ECONOMIC #DEBT #STOCKMARKET #INTERESTRATE #HOUSING #RISK DATA, TOLD IN TWEETS BY MYSELF & MANY OTHERS.

This is dedicated to everyone that will say “nobody saw it coming”

Read the ENTIRE THREAD, down the rabbit hole
#GOLD #SILVER RATIO HIGHEST SINCE 10/2008
#EMERGINGMARKETS DEFAULT RISK HIGHEST SINCE 2008
Read 25 tweets
Profile picture
The federal government’s marijuana policies are broken, outdated, and disregard the rights of states like MA & CO that have taken their own thoughtful approaches. @SenCoryGardner and I are introducing new legislation to protect them.
By outlawing marijuana, the federal government puts communities of color, small businesses, & public health & safety at risk. My new bill with @SenCoryGardner will let states, territories, & tribes decide for themselves how to regulate marijuana – without federal interference.
No one should go to jail for a joint. But more Americans are arrested for marijuana possession than all violent crimes combined. And black Americans are nearly 4x more likely to be arrested for it than whites. My new bill will help put an end to this two-tiered justice system.
Read 8 tweets

Trending hashtags

#macroprudential #risk #EmirAlThani #financial #Bell #rights #privacy #BuildTheWall #job #Judeo #liberal #Yahweh #Nietzschean #risks #divinity #manufacturing #autonomousAI #YouTube #gunscontrol #failed #deceived #cyber #defense #racist #duties

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!