Systemic risk: electric sector in the hot seat
The explosion of a transformer left the state of Amapá without power last November. Could an incident like this be caused by a cyber attack?
The causes of the accident at the Macapá Transmissora de Energia (LMTE) substation, which occurred on November 3, 2020 and left the state of Amapá in the dark for 22 days, are still being investigated. Without the conclusion, it is speculation to state categorically what caused the short circuit in the transformer.
For the complete reestablishment of supply, a true war operation was necessary with the arrival of two 200-ton pieces of equipment by ferry and road.
The episode exposed some weaknesses. The incident involved a series of errors such as the lack of redundancy planning and the scrapping of equipment that makes up the electrical system in the north of the country. But could a cyber attack also take a substation out of operation? According to industry experts, the answer is yes. And how to guarantee reliability if in the National Interconnected System (SIN) equipment with a high degree of digitalization coexists with others installed over 30 years ago?
To understand the complexity of the System and how it is possible to shield electrical structures against cyber risks, TI Safe News spoke with Claudio Hermeling, who until November 2020 acted as Technical Coordinator of the Cybersecurity Commission for Copel GeT's Operation Networks and representative of company in cyber security groups ABRAGE (Brazilian Association of Electricity Generation Companies) and ABRATE (Brazilian Association of Electricity Transmission Companies).
TI Safe News: What is the risk of cyber attack taking into account the automation of equipment in the Interconnected System?
Claudio Hermeling: Many researches point to the growing trend of cyber attacks on critical infrastructures, mainly in the electricity sector. This growth is related to the digitalization of equipment, which can add vulnerabilities and increase the surface of attacks. This digitization is not always associated with security investments for the installations, increasing the risk and the challenges.
The risks that we must consider range from theft of data, going through changes in systems that can compromise the billing of companies and can damage equipment and even generate unavailability in the supply of electricity.
Other risks that we must consider are the lack of training of the teams in the subject of cybersecurity for critical networks and the non-observance of security requirements in new automation projects.
We cannot fail to note that some automation projects do not replace equipment and maintain outdated or obsolete systems. These legacy systems represent potential risks that need extra attention.
TI Safe News: What are the consequences that a cyber attack could lead to the Brazilian Electricity System?
Claudio Hermeling: Due to the interconnection of the electrical system, a cyber attack can multiply the damage and cause a blackout, compromising one or more regions of the country, such as what was observed in the attack in Ukraine.
Brazil has already suffered, for several days, from the lack of electricity supplies due to equipment failures. Organized attack actions could extend to compromised areas, making it difficult to restore supply and causing massive financial losses and a high risk of compromising the security of the general population.
Although there are studies on the financial impact of a blackout, it remains difficult to measure the recovery time and any impact that would be caused to the population and the industrial sector.
TI Safe News: How is it possible to protect the entire system from intrusion?
Claudio Hermeling: Brazil has a huge area and in each state one or more energy companies are responsible for the generation, transmission and distribution of electricity. It is difficult to guarantee protection for the entire system, since this protection depends on actions in all companies that make up the national electricity system. Regardless of the size or the strategic assessment of each installation, actions are needed to assess and mitigate possible deviations that could compromise the entire network of each company.
Unfortunately, Brazil does not yet have its own rules for cybersecurity in the electricity sector. Each company adopts a policy already consolidated in other countries and adapted to the reality of Brazil or policies and procedures developed internally.
I believe that to protect the electricity sector as much as possible some basic actions need to take place, among which I could mention:
Creation of national policies for the electricity sector;
Increased awareness in companies on the subject of cybersecurity;
Specialized cybersecurity training for teams working in the operational networks;
Better risk analysis in companies;
Constant monitoring of networks and processes, in order to prevent incidents;
Greater investment in cybersecurity for facilities.
Currently, Brazil has companies specialized in information security for operating networks, which can assist in the activities necessary to mitigate the security flaws in these networks, perform monitoring and protect connections.