Cyber security and the power sector in Africa

The power industry around the world is increasingly one of the top targets for malicious cyber attacks. In November 2014, the US National Security Agency Director Admiral, Michael Rogers, told the US House Intelligence Committee that several foreign governments have hacked into US energy, water and fuel distribution systems, leaving them vulnerable to attack.

A number of factors combine to make this risk specifically pertinent to Africa:

• African power networks typically rely on older (and therefore more vulnerable) technologies.
• Non-African states are increasingly investing in Africa to reap rewards of African growth, often in competition with each other. Nation-state rivalries and disputes are increasingly manifesting themselves in cyberspace.
• Power security is becoming an increasingly significant topic for African governments, and is particularly important for them when trying to attract inward investment. African populations are increasingly demanding access to power.
• Power shortages also have a knock-on effect on other critical systems that rely on a stable power supply; for example, electricity supply interruptions caused by fuel shortages are already causing significant disruption to telecoms services in western and southern Africa.

Given their potential impact, attacks (or threatened attacks) on power supplies are very attractive to a variety of threat actors, including:

• Nation states targeting power network of states with whom they are in conflict or disagreement
• Criminals threatening power networks for ransom
• Activists targeting power networks to highlight political, social or environmental causes
• Disgruntled former employees using knowledge of (and in some cases continued access to) systems to cause disruption or damage

Whereas less sophisticated attackers may exploit vulnerabilities as they discover them, more advanced attackers seek to gain access to networks to conduct intelligence gathering and reconnaissance, giving them the capability to mount an attack at a time of their choosing. In 2014, the IT security company Symantec published a report on a cyber espionage campaign dubbed “Dragonfly” that compromised a number of strategically important targets in the energy sector. It also gave the attacker (highly likely a nation state) the ability to cause damage or disruption to the energy supply in the affected countries at will.

It is this risk of physical damage through cyber attack that keeps risk managers in the power sector awake at night. Stuxnet (the well-known worm that targeted Industrial Control Systems (ICS) used to control and monitor large industrial facilities) was designed to sabotage centrifuges and turbines at an Iranian nuclear enrichment facility. Since it was discovered in 2010, there have been several reports of similar and other types of sophisticated malware targeting ICS. ICS are widely deployed in the power industry and are particularly vulnerable to cyber attacks, as they are designed with accessibility and availability rather than security in mind, and are increasingly connected to the wider internet.

Governments are on their way to establish standards and requirements to enhance the security of Critical National Infrastructure (CNI). For example, the French cyber security agency has released binding security measures for 218 organisations identified as critical operators. These include the obligation to conduct external audits of their networks, the reinforcement of intrusion detection controls, the obligation to report cyber attacks and the handover of control in the case of extreme crises. In the US, every nuclear power plant has to submit a cyber security plan for approval to the Nuclear Regulatory Commission. Other countries, including those in Africa, may be encouraged to implement similar measures for organisations operating CNI.

However, power operators must not make the mistake of believing that cyber security is purely an IT issue. Although technical controls are important in preventing cyber attacks, people remain the weakest link; for example, in the Dragonfly case, individual users in the companies were targeted and compromised by spear phishing emails[1] and watering hole attacks.[2] The threat from malicious insiders is also one that should not be discounted; a recent survey found that 89% of organisations thought they were vulnerable to attacks facilitated from individuals within the company.[3]

Given the threat that power operators face, it is vital that they embed cyber security into people, business processes and technology. A good parallel is health and safety risk, which organisations in the power sector have significant experience of managing. The same systematic approach of identifying and managing specific risks, implementing strict processes and controls, and embedding a culture across an organisation is equally applicable to cyber security and will significantly enhance the protection of power networks in Africa.

By Gillian Duncan, Maria Cunningham and James Hampshire, Cyber Security Consultants

[1] A social engineering attack that involves sending an email with the aim of getting the recipient to open an attachment or click on a link (thereby downloading malicious software), or to give confidential or personal information.

[2] A hacking technique in which malicious software is injected into legitimate websites that the attacker believes is most visited by the target audience that the offender wants to penetrate. The users are the infected when visiting that website.

[3] http://enterprise-encryption.vormetric.com/rs/vormetric/images/CW_GlobalReport_2015_Insider_threat_Vormetric_Single_Pages_010915.pdf