Russian Energy Sector Cybersecurity in the Age of Digitalization

By Pavel Litvinov, Vladimir Karantaev, Sergey Nesterov

The implementation of the national project includes activities in the following areas: legal regulation, skilled staff, digital technologies, information infrastructure, information security and digital government. All of them, with the exception of the last one, have a direct impact on the energy industry. If we talk about information security, then the main goal is set: "ensuring information security based on domestic developments in the transmission, processing, and storage of data that guarantees the protection of personal, business, and government interests."

Now let's look at digitalization from the point of view of technology development. For the purposes of modeling operational activities, the electric power industry can be considered at the intersection of industry and logistics. Previously the principle that electricity could not be accumulated was added to this, but with the improvement of electricity storage technologies, hydrogen energy development, and and electric transport, the possibility of warehouse storage of ‘products’, in the role of which electric energy or hydrogen acts, is growing. Therefore, all the components of the Industry 4.0 concept are reflected in the electric power industry:

• Internet of Things will be actively used by customers and prosumers;
• Smart enterprise is the management of production activities and assets;
• Internet of services are new services and methods of sale. Russia's largest energy company, ROSSETI, plans to increase the share of the non-tariff factor in total revenue from 2 to 20% by 2030.
• Cyber-physical systems will become the leading architectural basis of industrial control and control systems.

All these processes and technologies, unfortunately, increase the potential ‘attack surfaces’. The number of ‘attack vectors’ grows significantly faster in time than the linear dependence. In 2017, the authors built a simulation model to forecast the long-term growth of industry vulnerability cyber threats ^[1]. The system dynamics model based on a number of assumptions, after 5 years, well-forecasting the observed state.

Let's briefly describe the specifics of the Russian Federation:

Three domestic companies working in the field of information security are known all over the world and their solutions in the field of antivirus protection and SIEM systems significantly increase resistance to threats.

A big role is played by the Government Security SOC/CERT Service (hereinafter – GOSSOPKA). The project, as a result of which the government system for detecting, preventing and eliminating the consequences of computer attacks on information resources, was created and is constantly being developed. All critical information infrastructure subjects must be connected to GOSSOPKA.

Russia is one of the few countries in the world that has its own school of cryptography and a full range of national standards and solutions in this area.

The Federal Service for Technical and Export Control keeps up-to-date the "Threat and Vulnerability Data Bank" Table 1. This is a publicly available resource (https://bdu.fstec.ru) allows improves awareness concerning existing threats to information security in information and automated systems.

Table 1 - The number of added and changed threats in the database by years

When created, there were 182 descriptions of various types of information security threats in the database. Mass uploading and editing of records was carried out in 2019 and there are currently, the total number of 222. Among the records made last year is "The threat of using a compromised trusted source of software updates". It was in this way that hackers, through an attack on SolarWinds, were able to introduce a backdoor to access the computer networks of numerous clients using the Orion Platform software ^[2].

It can be noted that the need for technical, organizational and educational measures is no longer in doubt either among the staff or among industry leaders but we need to be ready for the next round of confrontation for the following reasons:

Digitalization

In some high-risk systems, technical regression options are being seriously considered. For example, the transition from high-level protocols to the transmission of data and commands over dedicated copper lines inside a protected perimeter. For the entire industry, taking into account the reasons listed in the first chapter, this is a dead end path.

Remote control and remote work

Last year, with the beginning of the COVID-19 epidemic, a new challenge was added to the economically reasonable transition to a larger number of facilities without the constant presence of staff and maintenance personnel: the need to transfer key personnel to remote work.

Increased number and complexity of cyber attacks

Hacker groups gradually switched from attacks on financial organizations, in which they could directly steal money, to industrial enterprises, from which they demand a buy-back. A separate task remains to train staff to resist methods of social engineering.

Budget constraints

Profitability in the electric power industry is less than that of banks and insurance companies, and the industry cannot afford extremely expensive projects. This applies both to the choice of technical solutions and to the hiring of employees responsible for information security.

According to the authoritative opinion set out in The Global Risks Report 2021 ^[3] Cybersecurity failure is on the ninth place in the TOP 10 risks by probability and it is among the six global technological risks.

What modern ideas can be proposed for the transition to a new level of information security, taking into account new risks and remaining restrictions?

Training – using micro-learning techniques

To a large extent, information security depends on the daily routine compliance with the rules and regulations of organizational and technical measures in this area. After each incident, these rules are updated, and these changes must be clearly communicated to all employees of the company. Micro-training methods that are growing in popularity, especially with the use of virtual and augmented reality technologies; they have proven their effectiveness and can be recommended in all situations when a large number of people need to be trained in a short time.

Monitoring – calculation of Common Vulnerability Scoring System (CVSS) metrics according to the recommendations ^[4]

The degree of cyber security and the risks of cyber threats are in constantly evolution. Therefore, the calculation of metrics using the CVSS calculator should be performed on a regular basis. In practice, we get matrices of too large dimension. To move to integral indicators suitable for making management decisions, it is effective to use matrix factorization techniques with subsequent dimensionality reduction.

Creation of immune nodes

The architecture of modern information communications of energy companies is moving from the classical hierarchical model to the network-centric one. A large number of connections improves reliability and efficiency, but increases the risk of spreading computer viruses. In a similar way to how a vaccine works during an epidemic, the emergence of network nodes that are much more resistant to hacking helps slow down and sometimes stop an attack on the network and makes recovery easier. The solution is to put into practice the concept ‘secure by design’.

In conclusion, would like to note that in the electric power industry, as in other areas, digitalization offers new opportunities and new problems in the field of information security. The authors believe that they will be successfully solved. In particular, thanks to the great attention paid to the topic of information security in СIGRE.