- Launching a focal institute for the security step is admirable
“Being unconquerable lies with yourself; being conquerable lies with your enemy.” (Sun Tzu in “The Art of War”)
Pakistan’s energy system, like that of most other countries in the world, is becoming increasingly vulnerable to cyberattacks. Such risks are feared to grow even more in the future, both in frequency and intensity, as information and communications technologies (ICTs) make rapid inroads into every part of this system. These threats demand serious and urgent attention from our government, regulatory bodies, energy sector managers, and other stakeholders because the cybersecurity of the energy system must be ingrained in its basic design and cannot be overlaid after its construction.
A secure, robust and resilient energy system is critical because it propels the wheels of our economy and enables the provision of other essential services to our people. The security of the electric power grid is of particular importance as it’s a preferred energy carrier due to its cleanness, ease of control and flexibility to serve diverse human needs. The energy system is also inextricably linked with other critical infrastructures of the country such as transportation, communications, water, healthcare, finance and defense systems, and is essential to ensure their proper and trouble-free functioning.
For over two centuries, energy systems in most countries have functioned quite effectively and with minimal trouble or disruption. There have been occasional cases of energy system malfunction, but these were largely attributable to acts of nature, the use of energy supplies as political leverage or, like all engineering systems, due to technical faults. These episodes can only be termed few and far between.
Need of control devices
Energy systems and markets around the world are, however, in turbulence lately. A fundamental transformation is taking place chiefly by the society’s growing concerns to ward off the looming risks of global climate change and other environmental threats to which the emission of greenhouse gases (GHGs) and other pollutants from the energy sector is a major cause. Within the energy sector, the electric power grid has acquired a central focus as it’s believed to act as the main hub of most of these efforts.
Availability of inexpensive and powerful sensors and control devices, mostly ICT-based, are weaving a host of actors and functions together into a complex web of central power stations, transmission & distribution (T&D) systems, distributed and renewable power generators, industrial control systems, electric vehicles, storage batteries, and smart homes which are interlinked electrically on one hand and via the internet on the other.
With the pervasive and deep penetration of ICTs in virtually every part of the energy system, from primary fuel supply systems to ultimate delivery to end-users, an altogether new set of threats has emerged — the risks of unauthorized access to these systems and their potential abuse. Cyberthreats render the energy systems vulnerable to deliberate sabotage from various adversaries for a multitude of criminal and hostile objectives that can include hacking for ransom (like what K-Electric faced a couple of years back), disruption and physical damage from terrorist outfits or restive political groups, or as a planned strategy by an enemy state to paralyze or disrupt social life, economy, and defense system of our country.
The ramifications of cyberattacks are numerous as well as serious because all sectors of the economy rely on secure and reliable energy supplies. Exploiting weaknesses in any of its parts has the potential to trigger a ‘cascading effect’ in the whole energy system that can seriously disrupt the functioning of the other sectors, quickly leading to a crisis of serious and national proportions. Cybersecurity of the energy system is, therefore, of the utmost importance.
Cyber threats to the energy system are not mere apprehension or paranoid thinking; these are real as well as imminent. Just to cite a couple of examples, a computer virus was launched into the IT networks of Saudi Aramco in 2012. Though it couldn’t stop oil production, it still managed to damage 30 to 35 thousand computers. In 2017, a Saudi petrochemical plant again came under a cyberattack that was aimed to manipulate an emergency shutdown system. The attack resulted in the plant’s shutdown only, but experts felt that it was sufficiently potent to cause serious damage.
In 2015, hackers managed to penetrate the computer system of a Ukrainian power utility and cut off power to thousands of consumers. They attacked this system again in 2016 and succeeded in disabling a substation and left customers in parts of Kiev without power for about an hour.
The energy system’s vulnerability to cyberattacks exposes not just this sector to risk but jeopardizes the security of the whole country as well. It must be taken seriously by our leaders, regulatory authorities, security agencies, and energy sector managers as a top priority since it will require a highly coordinated and responsive national cybersecurity framework, sophisticated toolkits, and a skillful and agile workforce to remain vigilant to detect cyber threats whenever and wherever these are identified, isolate them as quickly as possible, and neutralize or mitigate them.
We will need a legal and institutional framework to protect our energy system and facilities against continuously evolving cyber threats. As it would be impossible and, in fact, futile to plug all the holes and cover all the exposed surfaces which the cybercriminals can exploit to access these systems, the best we can do is to minimize the numbers of such surfaces and entry points in the first place through a careful design of these systems and associated facilities with cyber threats in mind and by standardizing the information and operational technologies and algorithms that are used to communicate and interact with them.
We will also need an effective cybersecurity set up at the national level that can keep a close and constant vigil on the wide array of cyber threats to which our energy system and other critical infrastructure facilities may already be exposed and will be facing in the future. Many of the standards, operating procedures, and countermeasures to identify cyber threats and their effective management will be common among different infrastructures and not unique to the energy system. A centralized national cybersecurity assurance setup will be more effective, nimble and efficient in dealing with such issues than developing and maintaining such schemes in silos.
Cybersecurity of the energy system is sort of a “public good” whose cost may be borne by one organization but its benefits will not be restricted to it and will flow out to the whole system and the country. The already cash-starved energy sector entities under perennial pressure to cut costs may not have the financial muscle or motivation to add any new costs to their budgets. The responsibility for securing this system against cyber threats, therefore, should not be left to energy sector entities alone but should be assumed by the government itself at the highest level.
There is currently a serious dearth of data and knowledge bases, educational and training facilities, toolkits, and trained workforce in the country in this field. Building this capacity and capability will be essential to effectively deal with a critical and evolving issue of cybersecurity assessment and management for critical infrastructures like the energy system and in particular the power grid. Institutional capacity building, development of the requisite skills and competencies, and professional development opportunities for young engineering graduates, therefore, cannot be overemphasized.
Our government will do a great service to the country if it can help develop a national cybersecurity legal and regulatory framework and establish a focal institute in the country with some seed funding to give it a kickstart. This institute should be entrusted with the responsibility of assessing the cybersecurity risks that our critical infrastructures, in particular the power grid, are currently exposed to and will face in the future. The result of this assessment should be used to devise an effective strategy to ensure that these critical systems and facilities are made robust, secure, and resilient against all credible cyber threats unleashed on them.
The writer is a freelance consultant, specializing in sustainable energy and power system planning and development. He can be reached by email at: firstname.lastname@example.org