Cyber security and criticalinfrastructure; the main focus is in

electricity systemsJouni Pöyhönen

JYU. Since 1863. 1

JYU. Since 1863. 218.12.2017

This presentation includes:• Cyber operating environment• Energy systems and other critical infrastructure• Electric power system• Opportunities and threats• The consequences of power failure• Complex systems• Soft Systems Methodology (SSM)• IT and industrial automation systems• Measures increasing an electricity company’s cyber trust• Case of Ukraine

JYU. Since 1863. 318.12.2017

Hybrid threats:• Information operations• Cyber-attacks

Dependence on thevarious digital networksand their services.

- Artificialintelligence

- Robotics- Automation- IoT- Digitization of

work

Convergence of evil

Security by DesignCyber PoliticsCyber Security Culture

Dark Net

Cyber operating environment

(Lehto, 2017)

18.12.2017

Example of interdependence between energysystems and other critical infrastructure (CI).

(Yusta et al. 2011)

CI in my research:• Energy/electricity• Communications• Water service• Food chain• Health care• Banking and finances• Logistics

JYU. Since 1863. 518.12.2017

Electric power system

(Lewis, 2015)

18.12.2017

Opportunities, “The Future of Jobs”

(World Economy Forum, 2016).

18.12.2017

Opportunities, but also threats

(Symantec, 2017)(BBC, 2017)

JYU. Since 1863. 818.12.2017

Interruption time Consequences1 second Sensitive industrial processes may stop. Data in information systems

may be lost.1 minute Some industry and hospital processes will stop.15 minutes Shops will be closed. The failure may harm people’ s daily activities and

cause traffic delays.2– 3 hours Industrial processes may undergo significant damage. Mobile phone

networks will face problems. Domestic animal production will bedisturbed.

12– 24 hours Water supply to homes and offices will stop. Buildings will start tobecome cold in the winter. Frozen goods will begin to melt.

Several days The operations of society will be seriously harmed. Industry andservices will not function. Workplaces and schools will beclosed. Buildings will suffer from frost damage.

The consequences of power failure

(Kananen, 2013)

JYU. Since 1863. 918.12.2017

Smart cities, megaprojects, power and data grids, ecosystems, communication and transportnetworks are all complex systems. They generate rich interactions among components withinterdependencies across systems. This interdependent behavior creates challenges fordesigning and managing complex systems. Complex systems are composed of numerousdiverse interacting parts, making them susceptible to unexpected, large-scale, and apparentlyuncontrollable behaviors. Small changes can generate large, amplified effects. For example, asingle malfunction in a local substation can lead to cascading state-wide electricity grid failures.

(The University of Sydney, 2017).

Complex systems

JYU. Since 1863. 1018.12.2017

Soft Systems Methodology (SSM)

(Checkland, (1981).

JYU. Since 1863. 1118.12.2017

The structure of a company’s logistics framework andcommon IT and industrial automation systems

(Bowersox et al 1986, Knowles et al 2015, adapted)

JYU. Since 1863. 1218.12.2017

(SFS ry. 2016).

Management in organisation; Design, control andimprovement of process performance

JYU. Since 1863. 1318.12.2017

Measures increasing an electricity company’s cyber trust

JYU. Since 1863. 1418.12.2017

Ukraine Attack Consolidated Technical Components

Figure:• Spear phishing to gain access to the business networks of the oblenergos• Identification of BlackEnergy 3 at each of the impacted oblenergos• Theft of credentials from the business networks• The use of virtual private networks (VPNs) to enter the ICS network• The use of existing remote access tools within the environment or issuing

commands directly from a remote station similar to an operator HMI• Serial-to-ethernet communications devices impacted at a firmware level15• The use of a modified KillDisk to erase the master boot record of impacted

organization systems as well as the targeted deletion of some logs16• Utilizing UPS systems to impact connected load with a scheduled service outage• Telephone denial-of-service attack on the call center

E-ISAC, 2016

At the end

• Based on the results of my research entity, the concept of nationalcritical infrastructure can be simplified in accordance with Figure. Anelectricity company can position its own strategic role and identify itsoperation as part of an entity whose other parts depend on a reliablyfunctioning electrical network. This also facilitates the identification ofcyber dependencies within the services of the service layer so thatthey can be secured with the most efficient and practical measures.

• Figure. Simplified composition of critical infrastructure:

18 December2017

JYU. Since 1863. 1618.12.2017

Thank you for your attention

jouni.a.poyhonen.jyu.fi

JYU. Since 1863. 1718.12.2017

References

BBC (2017). Ukraine power cut 'was cyber-attack‘ http://www.bbc.com/news/technology-38573074

Bowersox D., Closs D., Jessop D., Jones D., (1986). Logistical Management, New York, John Wiley & Sons, Ltd.

Checkland P., (1981). SYSTEMS THINKING, SYSTEMS PRACTICE. Chichester, West Sussex,UK,

Electricity Information Sharing and Analysis Center. E-ISAC. (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid Defense Use Case March 18, 2016. [onlinedocument] https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Kananen I. (2013). National Emergency Supply Agency. Sähköjärjestelmä yhteiskunnan toimivuuden perustana. Seminar presentation on 2 December 2013. [online document]http://www.fingrid.fi/fi/asiakkaat/asiakasliitteet/Seminaarit/K%C3%A4ytt%C3%B6varmuusp%C3%A4iv%C3%A4/2013/K%C3%A4ytt%C3%B6varmuusp%C3%A4iv%C3%A4%20021213%20Kananen.pdf

Knowles W., Prince D., Hutchison D., Ferdinand J., Disso P., Jones K. International journal of critical infrastructure protection 9. A survey of cyber security management in industrialcontrol systems, 2015.

Lehto M., Limnéll J., Innola E., Pöyhönen J., Rusi T., Salminen M., Suomen kyberturvallisuuden nykytila, tavoitetila ja tarvittavat toimenpiteet tavoitetilan saavuttamiseksi,Valtioneuvoston selvitys- ja tutkimustoiminnan julkaisusarja 30/2017, 17.helmikuuta 2017. Lehto M. Tutkimustulosten esittelymateriaali, Valtioneuvoston kanslia 20.2.2017.

Lewis T. (2015). Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. Second Edition.

SFS ry. (2016). Johdanto laadunhallinnan ISO 9000 –standardeihin. www.sfsedu.fi/files/126/ISO_9000_kalvosarja_oppilaitoksille_2016.ppt

Symantec (2017). Dragonfly: Western energy sector targeted by sophisticated attack group. https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

The University of Sydney (2017). Courses_Master of Complex Systems. https://sydney.edu.au/courses/courses/pc/master-of-complex-systems.html

World Economy Forum. (2016). The Future of Jobs Employment, Skills and Workforce Strategy for the Fourth Industrial Revolution. [online document]http://www3.weforum.org/docs/WEF_FOJ_Executive_Summary_Jobs.pdf

Yusta J. M., Correa G. J., Lacal-Arántegui R. (2011). Methodologies and applications for critical infrastructure protection: State-of-the-art. Energy Policy, Volume 39, Issue 10, 2011,6100–6119. [online document]http://dx.doi.org/10.1016/j.enpol.2011.07.010