Cyber Security Challenges in the

Energy Context

Guido Gluschke

Institute for Security and Safety (ISS) at the Brandenburg University of Applied Sciences, Germany

NISS / NATO ENSE CoE

Kyiv, 17 March 2016

g.gluschke@uniss.org

Introduction

Guido Gluschke

Co-Director Institute for Security and Safety at the Brandenburg University of Applied Sciences

30+ years experience in computer technology

15+ years experience in security management in critical infrastructures, in particular energy sector

7+ years experience in security management at nuclear power plants (NPP)

Program manager for joint activities with UN, IAEA, OSCE, EU and NATO

Member of the Energy Expert Cyber Security Platform - Expert Group of the European Commission DG-ENERGY

Member of IAEA International Nuclear Security Education Network (INSEN)

EC DG ENER

Cyber Security Expert Group

3.1.1. Mission and duties of the EECSP-Expert Group

The mission of the EECSP-Expert Group is to provide

guidance to the Commission on policy and regulatory

directions at European level, addressing the energy sector

key points including infrastructural issues, security of

supply, smart grids technologies as well as nuclear.

EECSP = Energy Expert Cyber Security Platform

International Cyber Activities

ISS Is Involved

Supporting international organisations with our expertise:

Cooperation with Think Tanks and NGOs:

Literature On The Cyber-Energy

and Cyber-Nuclear Complex

coming soon

Capacitity Building On Cyber

And Nuclear Security

Developed by

Brandenburg University

of Applied Sciences

together with IAEA.

Four Nuclear IT/Cyber Security

Professional Development Courses

Four Nuclear IT/Cyber Security

PDCs 2012-2014

4 Nuclear IT/Cyber Security PDCs

59 Participants

21 Countries

• Austria

• Canada

• Egypt

• Ghana

• Iraq

• Jamaica

• Jordan

• Kenya

• Malaysia

• Morocco

• Nigeria

• Poland

• Republic of Macedonia

• Russian Federation

• South Africa

• South Korea

• Tanzania

• Thailand

• UK

• Ukraine

• US

ISS Support of Locked Shields

Cyber Exercise 2015 at NATO

CCDCoE in Tallinn

The backup power generator was part of

an attack scenario in which generators

should be destroyed by a cyber attack.

virtualization /

simulation with

real ICS equipment

DHS / INL Aurora Project

Locked Shields 2015

Virtual Blue Team Environment:

Drone Research Facility

Focus

Energy sector - Electricity

Computer Security Domains Related

To A Nuclear Power Plant

Administration (Office IT)

Control Room (Office IT and I&C)

Nuclear section (Digital I&C)

Internet

IT = Information Technology

I&C = Instrumentation & Control

Computer Security Domains Related

To A Electricity Grid Infrastructure

Administration (Office IT)

Control Room (Office IT und ICS)

Grid (ICS)

Internet

IT = Information Technology

ICS = Industrial Control Systems

Transformer

Station

Detection and Identification of

Systems Relevant To Energy

Identified Systems

Trend of ICS Internet

Connectivity

Source: Collaborative research project with Berlin Free University 2012

to detect Industrial Control Systems connected to the Internet

Trend of Targeted Attacks with

Advanced Persitent Threats

Agent.btz

Animal Farm

Aurora

Black Energy

Carbanak

Cloud Atlas

CosmicDuke

Crouching Yeti

Dark hotel

Desert Falcons

Duqu

Epic Turla

Equation

FinSpy

Flame

Gauss

Hacking Team RCS

Icefog

Kimsuky

Machete

Madi

MiniDuke

MiniFlame

NetTraveler

Red October

Regin

SabPub

Shamoon

TeamSpy

The Mask / Careto

Winnti

Wiper Source: https://apt.securelist.com/#secondPage

Advanced Persistant Threats Against

Energy Sector

Source: Symantic Security Response Documents

Example Dragonfly: 3-phase attack over 14 months

In Nuclear: Design Basis Threat

(DBT) Methodology

A DBT is the State’s description of a representative set of

attributes and characteristics of adversaries, based upon

(but not necessarily limited to) a threat assessment, which

the State has decided to use as a basis for the design and

evaluation of a physical protection system.

A DBT is a description of the attributes and characteristics of

potential insider and outsider adversaries who might attempt

a malicious act, such as unauthorized removal or sabotage

against which a physical protection system for nuclear or

other radioactive material or associated facilities is designed

and evaluated.

Motivation, Willingness,

Intentions

Funding, Support structure,

Modes of transportation

Group Size, Tools,

Weapons, Explosives

Knowledge, Skills, Tactics,

Insider threat issues

Design Basis Threat (DBT)

Responsibilities

Low Threat Capabilities

High Threat Capabilities

Design Basis Threat

Maximum Threat Capability against which protection

will be reasonably ensured

Operator

Responsibility

State

Responsibility

beyond DBT

e.g. military attacks

e.g. terrorist attacks

e.g. attack by single person

How to handle cyber in DBT?

OR

Source: Michael Beaudette, WINS workshop Toronto March 2012

The ISS perspective

Cyber

Military

Cyber Military Threat Groups

The Nation State's Dilemma

In the western hemisphere military attacks against nuclear installations are typically beyond DBT

They are assigned to the nation state; in any case the licencee is not responsible for protecting his plant against this threats

This view can be argued by the following paradigms:

• Military weapons are controlled by nation-state

• Theft, as well as illigal movement, illigal import, or illigal use of military weapons should be detected/tracked by nation-state intelligence services

• In case of use, military activities has to be fended off by nation-states forces

Cyber As A Powerful Weapon

Feasibility

Pro

bab

ilit

y

nuclear

chemical

biological

conventional/

physical

high

low

difficult easy

radiological

cyber

Simple Model

Zone 1Zone 2Zone 3Zone 4

Internet

Untargeted

Targeted

Highly

TargetedA

B

C

A Highly targeted: Targeted against particular component/system

B Targeted: Targeted against particular organization/facility

C Untargeted: Not targeted against particular organization/facility

(Random target/Target of opportunity)

Administrative zone Operational zone/

Main Control Room

Reactor-near

zone

Characteristics

Zone 1Zone 2Zone 3Zone 4

Internet

Untargeted

Targeted

Highly

TargetedA

B

C

Motivation

Willingness

Intention

Funding

Support

Logistics

Planning

Knowledge

A Highly targeted: Military-style adversary

B Targeted: Traditional adversary groups

C Untargeted: Everyone else

A Highly targeted*: no prevention, advanced detection and response

B Targeted**: extended prevention, advanced detection and resp.

C Untargeted: standard prevention, detection and response

*State-of-the-art is definitly not be enough

**State-of-the-art is most likely not be enough

Consequences

Zone 1Zone 2Zone 3Zone 4

Internet

Untargeted

Targeted

Highly

TargetedA

B

C

A Highly targeted: can be understood through exercises/simulation

B Targeted: can be understood through incident analysis

C Untargeted: can be understood through technical press

A Highly targeted: Threat is not understood

B Targeted: Threat is basically understood

C Untargeted: Threat is well understood

New cyber weapons Come closer to nuclear

protection goals

Increased insider

knowledge

Highly Targeted: Beyond State?

Targeted: Beyond DBT?

• In the physical world 'physical threat bounderies' exists

• There is always something more

• In general, understanding/definition of this limit is necessary

Within License

for Nuclear Facility

Beyond DBT

Beyond State Level

Room For "Beyond DBT" and "Beyond

State" In Cyber

For cyber the "Maximum Threat Capability" could be

considered as "Threats, a nation state by itself is unable to

defeat", for example:

• DoS: When a state has no capability to handle massive DDoS

attacks

• Encryption: When a state has no capability to evaluate if an

encryption is strong enough for its intended purpose

• Malware: When a state has no detection mechanism for zero

day exploits or advanced malware

• Supply Chain: When a state is not able to detect if computer

systems within the supply chain are free of malware

Complexity x Malicous Intent Cyber Security =

Competency x Readyness

What Do We Need?

Cyber Security Education / Capacity Building

Cyber Security Exercises / Readyness

Cyber Security Expertise

Cyber Security Awareness / Culture

Trust / Transparency / Confidence Building Measures

International Cooperation

Trends and Research Areas

• Understanding the infrastructures and dependencies, modelling the threats and risks

• Digitalisation of analog elements in all relevant domains, such as physical protection systems

• New technology trends with increasing internet-dependency

• New operational models for energy sector, such as turn-key solutions or virtual power plants

• Cyber as a new domain of military actions

• Industrial Control Systems (ICS) as new targets

Thank you for your attention!

Guido Gluschke

g.gluschke@uniss.org

www.uniss.org