The electricity sector is preparing for a stressful winter, and the French government is already preparing businesses and individuals for the risk of blackouts that loom during the coldest days. All this against the backdrop of the geopolitical crisis with Russia. What offer a perfect breeding ground for cyberattacks? Whether they are motivated by strategic objectives or just the lure of profit, malicious actors take advantage of their victims’ situations of weakness whenever they can.
But on the side of EDF, the first French energy supplier, the speech is reassuring. First, the company is continuously preparing to deal with a very wide range of attack scenarios. Then, the rise of state threats – the famous APT in the jargon – raised by the entire industry, does not worry him unduly. ” At the end of last winter, we had wondered if the geopolitical situation in Ukraine would generate an upsurge in the number of attacks against our sector. We see a posteriori, a year later, that there has been no significant growth in the number of attacks linked to these environments”, told La Tribune the director of cybersecurity at EDF, Olivier Ligneul, during the Cybersecurity Conference. Before adding: but that doesn’t mean we don’t remain vigilant “.
the electricity sector, ” essential to the survival of the nation »
Since the military programming law of 2013, many companies in the energy sector have been qualified as organizations of vital importance (or OIV). Their identity remains confidential, but EDF is certainly one of them because they are ” essential to the survival of the nation.. This state-assigned name imposes a whole list of advanced cybersecurity standards and practices, and gives access to privileged links with the authorities.
This framework has since been constantly strengthened, in particular by the European Network Internet Security (NiS) directive the second version has just been voted. But the need to protect the sector was taken into account long before regulation. ” Since the creation of Anssi [en 2009]even before OIV status, energy was a priority sector, for the simple reason that if the system fails, the cascading consequences would be immense “Summarizes to La Tribune the director of Anssi, Guillaume Poupard. Security problems of all kinds, interruption of the cold chain, communications cuts and vital services… An unforeseen breakdown is the most nightmarish disaster scenario.
“ Since the energy environment is critical, in addition to being one of the most targeted sectors, we already have very high vigilance and permanent cybersecurity means, 24 hours a day, 7 days a week. “, tempers Olivier Ligneul. But it also recalls the basic adage of cybersecurity: zero risk does not exist. In parallel with the strengthening of its protections, the company has therefore focused in recent years on improving its resilience, that is to say its action plans in the event of a successful attack. Objectives: to have an effective temporary solution in the event of a breakdown, and a method to return to normal as quickly as possible.
The fear of power cuts turns into a nightmare for French industrialistsRare but spectacular failures
Due to the industry’s focus, large-scale power outages caused by cyberattacks number in the dozens globally over the past 40 years. as Numerama points out. But they are no less spectacular. The example that has most marked the industry dates from 2010: a computer worm called Stuxnet, presumably developed by the United States and Israel, shut down Iran’s Natanz nuclear power plant and caused a power outage in the region. Tailor-made to hit this kind of infrastructure, the malware targeted a system in charge the proper functioning of the centrifugal motors of the plant. At the expense of the employees, the attackers violently changed the appearance of the centrifuges on several occasions… until they damaged them, thus causing the dreaded “blackout”. It was the first time that a cyberattack against industrial systems reached this scale.
After several months of analysis, the computer worm proved to be very complex: Stuxnet exploited a chain of four so-called “zero day” computer flaws in Windows – that is to say, flaws unknown to the publisher of the software (here Microsoft), and without patch. In the world of hackers, this kind of vulnerabilities can sell for several hundreds of thousands or even millions of euros because it drastically increases the chances of success and the discretion of attacks. But even if their tool took advantage of an unprecedented flaw, the attackers still had to find an entry point into the plant’s information system: two double agents were therefore responsible for plugging an infected USB key into a computer within of the organization, and thus opened the door to the computer worm. Finally, the malware had to escape detection, and here again, Stuxnet embarked on an unprecedented camouflage method.
This historic episode therefore does not represent the average level of threat, but it did expose the extreme level of sophistication that cyberattacks can reach. After Stuxnet, other less virulent viruses succeeded in paralyzing power plants for a handful of hours, in particular that of the Ukrainian supplier Ukrenergo in 2015. Conversely, some software capable of destroying infrastructure hardware has been discovered, but stopped before causing damage.
All cyber threats to manage
One of the main constraints of energy suppliers like EDF is that they must protect both industrial environments (OT in the jargon) and traditional IT environments (IT in the jargon). Concretely, power stations and other production plants are full of specific machines, produced by highly specialized manufacturers. Not only do these devices come with a level of software complexity that can be high, but they are generally less easy to modify or repair in the event of a problem. In addition, they generally remain in production longer than the rest of the computer hardware (due to their cost), which can cause problems with updates.
” These networks not only pose technological challenges, they also pose challenges in terms of governance, organization and responsibility. sums up Dagobert Lévy, Vice-President Southern Europe of Tanium. Bernard Montel, European CTO of cybersecurity firm Tenable, adds: on IT, it is easy to have backups to restart in the event of an incident. But on the OT, if the network is damaged by a ransomware for example, it’s an oil spill, you have to redo everything by hand. »
While industrial hardware is a particularly difficult point of attack to manage, it is only one of many for malicious actors. For example, the Linky boxes, at the end of the chain, are also an obvious target for cyberattacks. They have also been designed to withstand it as well as possible. More generally, any computer can be the gateway to a major attack.
EDF, with its 168,000 employees and the scope of its activities, must therefore protect a wide variety of information systems ranging from nuclear power plants to the e-mail boxes of its various employees. To support this effort, approximately 300 people work on cybersecurity topics, and the company has doubled the number of employees in its SOC [security operation center, la colonne centrale de la détection et de l’analyse des menaces dans les grandes entreprises, ndlr] the past three years. This effort cost it several tens of millions of euros in investments, or around 6% of the total budget of the information system department (DSI), that is to say of its financial envelope dedicated to digital technology.
Great diversity of threats
Faced with EDF, the landscape of threats is well provided. “ We face the same threats as other companies, but we face them all at the same time,” summarizes Olivier Ligneul. This former Anssi (National Agency for the Security of Information Systems) divides them into four categories: attempts to sabotage industrial environments; ransomware, capable of encrypting machines and rendering them unusable, which affect all types of businesses; cyber espionage; and the threat “more diffuse and common » Data theft for personal gain. Each of these threats does not target the same equipment, does not have the same purpose or the same consequences.
Giants like EDF must also protect themselves from ” edge effects », that is to say indirect attacks. For example, if a provider’s software no longer works due to a cyberattack or if it is corrupted from the inside, the company’s activity can be slowed down or even stopped. So you have to be prepared for a wide range of attack scenarios. To determine which ones, EDF observes what is happening with its counterparts – the main French energy companies share information – in addition to its own indicators. The objective: to have a pragmatic approach, based on the reality on the ground, the most realistic attack scenarios.
From this study of the threat, the group tests its reaction to the incidents of the smallest or largest. ” We regularly carry out exercises at group level, on all of our structures, to assess our ability to coordinate in the event of a successful large-scale attack. We have never faced this kind of situation until today, but it is an eventuality to consider in order to be sufficiently prepared. », specifies Olivier Ligneul.
In a cat-and-mouse game with attackers, security teams try to gain an edge by identifying which systems are most targeted, and which methods are most employed. Without letting your guard down. “ We are careful to avoid overconfidence. We must remain humble to continue to understand the motivations and techniques behind each significant attack concludes the leader, who intends to put all the chances on his side to get through the winter without incident.