Cyber Security in Electrical Power Grids

Electrical power grids are part of what we call critical infrastructures and are essential for maintaining structure and order within our society. In the past, power grids were characterized by proprietary, isolated, legacy equipment, which in turn provided a barrier to malicious intrusion into the power system. Over time, the power grids have changed, becoming more efficient through more automation and digitalization and connected more with the outside world, thus, breaking the barrier that once protected the system from malicious external influences. During the transformation of the energy system, in which the distribution of decentralized energy resources (photovoltaic systems, wind systems, energy storage/UPS systems) and the transition from consumers to prosumers (P2H, e-mobility, smart homes & smart industry) increased, the process of transforming power grids into intelligent, automated systems accelerated. All of these – still ongoing – advances have or will provide further opportunities and access points for unauthorized entities with malicious intent into the power grid systems. Malicious hackers who gain access into internal networks of power plants and disrupt central components of power generation such as steam turbines and associated generators in the blink of an eye are no longer the fantasy of dystopic novels.

A more concrete case of the possibilities of power generation control systems was demonstrated in [1], where possible attack vectors for the application server of a turbine control system from Siemens were presented. The Distributed Control System (DCS) SPPA-T3000, which is mainly used in coal and gas power plants, has a whole set of Java apps on board that can be called remotely, as well as programs for the Apache Tomcat server, MSSQL, Cygwin and Simatic industrial automation technology. According to the authors, common login combinations are easy to find with search engines and until recently, passwords were difficult to change. Disguised Java code could easily be reverse- engineered and with a special dissector, structured fields could be extracted. On an Orion Java server belonging to the SPPA-T3000, on which the directories could be read quite easily via HTTPS, a large number of servlets that received and answered requests from clients were found. These included a third party browser servlet or a FileUploadServlet, which could be used to upload files with full system rights. Further vulnerabilities were discovered in other Java services offered, including a list for “AdminService” with the possibility of reverse code engineering. The respective authentication system was also relatively easy to circumvent. Moreover, it was possible to execute arbitrary code with full privileges, to inject arbitrary Java classes and to query all sensitive and private information in plain text. Even at this level, power generation could be started or stopped, the values of the generated power could be changed, and extensive data on running processes could be collected. The control system from Siemens also includes an automation server which – similarly as the application server – can communicate with a network interface and via input/output modules. The exchange of the data is via the S7 protocol, which is known for security problems such as unauthorized read and write access [2]. Again, it was possible to execute manipulated files remotely with the help of a simple, customized analysis tool and a PHP script.

This concrete example emphasizes how vulnerable central component of today’s power grid are and how important it is to address ICT vulnerabilities and implement techniques such as intrusion detection systems with situation awareness that detect and interpret early indicators of an attack. Another important aspect is collaboration and information exchange across borders in order to facilitate quick reactions to cyber incidents. The European Union funded collaborative project PHOENIX follows a holistic approach by developing a platform that combines both, information about incidents detected by its local IDS and information collected across Europe by other utilities and stakeholders. That way, PHOENIX will offer a cyber-shield armor to the European electrical power energy systems infrastructure enabling cooperative detection of large scale, cyber-human security and privacy incidents and attacks.

[1] Radu Motspan, Alexander Korotin and Gleb Gritsai, “On the insecure nature of turbine control systems in power generation”, 36th Chaos Communication Congress (36C3) in Leipzig

[2] Henry Hui and Kieran McLaughlin, “Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal”, 5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)