- Projects & Cases
The “dark side” of cyberspace – strategies for protection against hacker attacks
“Russian hackers attack German power grids”: in the summer of 2018 this headline dominated the news cycle, causing widespread alarm. At that time, I was working for innogy Consulting on its JEDI project with the goal of improving cyber security at innogy, and I spoke with Thomas Krauhausen, Head of Cyber Security at innogy, about how we can protect our company from cyber attacks. Rest assured, the JEDI project is not as galactic as it sounds, and it’s a fascinating subject even for readers with only a limited background in IT.
David Goelz: I must confess that, before I started working on the cyber security project JEDI, I hadn’t even heard of your role as Head of Cyber Security. Could you perhaps briefly describe your job to readers with as little knowledge as I had back then?
Thomas Krauhausen: My teams and I are responsible for protecting innogy from all IT threats. These threats may be external, such as hacker attacks, or internal, such as deliberate or unwitting disclosure of corporate information to third parties.
David Goelz: On the subject of hacker attacks, this summer the German Federal Office for Information Security (BSI) issued a warning that German energy suppliers have become the target of Russian hacker attacks. How did innogy react to this news and what does it mean for us?
Thomas Krauhausen: Electricity grids, like those we operate, are classified as a critical infrastructure, which is an essential element that our society relies on. This huge responsibility means IT security is always going to be of the utmost importance to us. The BSI’s warning in the summer came as no surprise at the time, as we had been exchanging information with them on this issue for over a year, and have been strengthening our security ever since. This is evident in the ongoing certification of our compliance with the IT security catalogue, which is mandatory for energy suppliers in Germany. We’re well prepared, in other words, and weren’t surprised by the news. This announcement was purely when it was first made public by the authorities.
David Goelz: And has innogy already been the subject of hacking?
Thomas Krauhausen: We have a dedicated unit of cyber security experts – the Cyber Analysis and Incident Response Team – which continuously monitors our IT network and identifies suspicious activity. So far, they haven't detected any major hacking attacks. Nonetheless, we shouldn’t forget that we face smaller attacks on a daily basis. It is important, however, that we distinguish between different types of hacker attacks and don’t start panicking with every report.
David Goelz: What types of hacker attacks are there and how do they differ?
Thomas Krauhausen: There are basically three levels of hacker attack on energy supply companies.
- Level 1: Gaining access to the company’s IT network
The targets of this type of attack are company e-mail accounts, servers or websites. Such attacks, however, are limited to IT networks for office communication, such as e-mail and web servers, and have no impact on the intentionally segregated IT networks running power grids. Typical examples are phishing e-mails or infected websites, which are typically run by classic cyber criminals or for industrial espionage. These are a daily phenomenon for large companies.
- Level 2: Gaining access to IT networks used to control power grids
In attacks of this sort, hackers succeed in penetrating the specialised IT networks used to control power grids. At this level, even if the attackers gain access to the control networks, they are still unable to significantly disrupt power grids, as a wide variety of automated security mechanisms ensure the stability of the networks connected throughout Europe. To date, the few cases in which attackers successfully penetrated the operational control networks of grid operators have been in the USA – the number of unreported cases is, nevertheless, thought to be very high.
- Level 3: Coordinated attacks on electricity grids resulting in real-world stoppages
In the worst case scenario, hackers would be able to severely disrupt power grids, giving them the ability to control network operating systems at the “touch of a button”. In the one and only confirmed case so far of a blackout triggered by hackers, which occurred in Ukraine in 2015 and 2016, the attackers needed to manually open dozens of circuit breakers in three different facilities in the country via remote access.
At innogy, we monitor, analyse and report all activity in our systems in great detail. This means that we record the number of security-relevant IT incidents, in other words, situations in which attackers have attempted to gain access to our systems (before level 1). In the case of threats requiring cyber forensic analysis (levels 1–3), our experts are able to perform IT analysis of the disruptions, identify vulnerabilities and develop countermeasures. The German IT Security Law defines reportable events as those of level 2 and above with the potential of influencing critical infrastructure. None have ever occurred at innogy.
David Goelz: In other words, not every attack on energy suppliers automatically poses a threat to power grids. So what does innogy do to protect against attacks at each level and, in particular, the worst case scenario?
Thomas Krauhausen: Beyond the various technical security precautions, we place great importance on training our employees. We will be opening a state-of-the-art training centre, CyberRange-e, in the first half of 2019, to train employees using so-called war-gaming techniques. The centre allows us to simulate attacks against the power grid in the real environment of a training control room. Employees are trained to rapidly recognise threats. They can try out appropriate protective and defensive procedures, practise serious cyber attack scenarios of varying severity and react quickly and purposefully in a genuine emergency. Overall, our IT networks for controlling our power grids are already remarkably well protected. To further increase security, we are currently improving the protection of our conventional corporate IT network, since this is the site of the majority of attacks, including, as mentioned, phishing e-mails and malware on web pages.
David Goelz: What are we doing to improve the security of the IT network?
Thomas Krauhausen: There are various projects we are pursuing to increase security. Most attacks are the results of human error, for instance using unsecured USB sticks or opening attachments and links in unsecured e-mails. We launched the Human Firewall Campaign to instruct employees and raise their awareness regarding cyber security. As part of the campaign, we send harmless phishing e-mails to employees to train them in how to identify them.
David Goelz: It makes sense to raise awareness on the subject among employees. But cyber security is always going to be about IT as well, of course. What is being done in this area?
Thomas Krauhausen: After human behaviour, the most important pillar of cyber security, of course, is IT security. To further improve this, we initiated a major project at the beginning of the year in close cooperation with the IT department and with the support of innogy Consulting.
David Goelz: I myself was part of that team and helped you steer the programme. How would you explain to outsiders what JEDI is about?
Thomas Krauhausen: JEDI stands for Joint Enterprise Defence Initiative. We rather like the name, as the Jedi in the films represent the good side in an eternal battle against evil. The internet and the exponentially accelerating internet of things are incredibly useful, but they also lead to new attack vectors with unprecedented dynamics and considerable potential for harm. Our goal with the JEDI programme is to measurably advance the maturity of cyber security based on ten different initiatives in order to be able to respond to ever-increasing and ever more complex digital threats. These initiatives deal with issues such as secure software development, security of mobile devices and secure use of cloud services.
David Goelz: We are involved in many aspects of the project. Can you name some concrete ways in which the initiatives have already contributed to increasing security at innogy?
Thomas Krauhausen: Despite the high level of complexity, we have already implemented many measures as a result of the JEDI programme and are deploying agile working methods to implement Minimum Viable Products as quickly as possible – for instance, a variety of software solutions that have been introduced throughout the Group. For example, one software application helps to prevent people from opening malicious links and attachments in e-mails, while another solution helps to counter data loss or theft by securing smartphones and tablets. Another way that the project is helping to enhance security is by running penetration tests and attack simulations in which we work with “white hackers” to identify and fix vulnerabilities before they can be exploited. Over the next few months, we will also be providing our developers with training on secure software development in boot camps and expanding our cooperation with an external service provider to support us in the event of a major cyber security incident.
David Goelz: It’s apparent that we’ve already achieved a lot and that even more improvements to our cyber security are in the pipeline. Thanks for the interview, Tom, and good luck in the fight against the “dark side” of cyberspace.