Cyber security in Operational Technology

Adéla Procházková,

22 Nov 2021

5 min read

As the world becomes increasingly digitized, so too does the power generation industry. The power generation industry is becoming more and more ‘online’ as consumers demand more from their power generation suppliers. Historically power was generated, supplied, and used in a relatively simple, (and one-way), fashion. Systems were constructed as isolated solutions, or were at least ‘air-gapped’ from the internet. These systems were guarded by what’s been called a ‘security by obscurity’ system – meaning they weren’t vulnerable because they weren’t seen.

However, with increasingly sophisticated consumers, ‘smart grid’ programs such as demand response and spot price dispatch, and even something as simple as online billing, the need for connectedness, and the need for data is what is now driving the power generation industry. This data requires remote access and along with remote access comes cyber security vulnerability.

Along with the increasing connectedness and the progressively data driven power generation industry come expanding vulnerabilities in power generation systems. Criminals, politically motivated (or even state sponsored) hackers, and cyberterrorists are increasingly targeting power generation infrastructure due to the vulnerable nature of power generation systems, and the severe impact loss of power has to our way of life. Whether it be due to insecure IT systems, outdated or poorly maintained equipment, or even the assumed ‘security by obscurity’ principle mentioned earlier, power generation systems are susceptible to intrusion.

One such event took place on December 23rd, 2015. There was a cyber-attack on three power companies in Ukraine. This was a revolutionary event for the power generation industry as it was the first known cyber attack on an electricity grid’s operations. This cyber-attack left more than 225,000 customers without power for over six hours. But more importantly, the attack disrupted SCADA systems within the power companies, which in some cases took over a year to fix.

Systems are getting smarter, but so are cyber-attackers, which means power generation operators need to keep up to date with the latest in security to ensure that their systems are not compromised.

When cyber-security is mentioned, it is usually thought of as an IT problem involving servers, network communications, and mobile devices. These systems are updated regularly and have vulnerabilities patched. However, as with the Ukraine attack, it is increasingly the OT, or operational technology that is the main vulnerability in power systems ready for exploitation by hackers. Operational technology in power generation includes any of the systems used to manage, monitor, control and transmit power. These OT systems are usually made up of older devices that are complicated and expensive to replace, or legacy systems which have been in place for 10-20 years. These legacy systems, in combination with IT hacks, can lead to power generation systems becoming vulnerable to attacks.

Providing cyber-security for industrial control systems present several unique challenges, including:

  • lack of security in engineering protocols or in the OT technology itself
  • the need to retest systems after upgrades – which in power generation, is difficult
  • long equipment lifecycles (20 or more years for certain equipment)
  • OT devices typically have much less resources compared to IT devices, which makes it difficult to apply standard measures known from IT sector
  • the addition of many IT protocols, to the engineering environment
  • devices may not be set up to receive or respond to messages from standard IT debugging and analysis tools

This is in addition to the usual IT cybersecurity vulnerabilities – including the biggest weakness of all: human users. A company can build secure IT and OT infrastructure, but it will still be vulnerable due to the staff tasked with using, monitoring and maintaining the system. Something as simple as clicking on a link in a malicious email can let hackers infiltrate a system and load malware into it – which is what happened in the Ukraine example.

The ISA-62443-1-2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program2 recommends any business with OT systems focus on four key areas when evaluating OT systems for security vulnerabilities.

Key areas to think about regarding cybersecurity

1. Consequences

What are the possible negative outcomes in a cyber-attack to your organisation?

In a power generation organisation, the negative outcomes are clear – loss of power for customers. Then there are the negative outcomes for your customers, which may lead to legal action or more.

2. Threats

What is the threat environment in which your organisation operates?

Power stations and other power infrastructure sites are increasingly becoming targets for hackers because of the potential damage loss of power can cause. Not just to the power station itself, but to hospitals, datacentres, traffic control and other essential services that they can take of the grid and exploit in a coordinated attack.

3. Recovery

What is the cost of recovery from a cyberattack? How long would it take?

In the Ukraine example, power was restored within a matter of hours. However, it took almost a year to ensure the security of their network again. It is not just the issue of getting the power restored that is important in recovery from a cyber-attack in power generation. There is also the reputational harm to the organisation to be considered.

4. Investment

What is the cost for OT upgrades and cybersecurity protocols?

The cost to upgrade or replace OT equipment can be high, but on the other hand, the cost of repairing systems and reputations after a cyber-attack is much higher.

ComAp designs and manufactures OT equipment for the power generation industry. The remote monitoring of ComAp products allows our customers to save time, save money, and provides reliable data for making crucial business decisions. However, these advantages require our products to be connected to the internet. Security has always been a focus at ComAp, so our customers can rest assured ComAp always has and always will take the security of customers data and equipment seriously.

ComAp's key principle: Security by design

When we are developing products at ComAp, we adhere to the principle of ‘Security by Design’. Security by design means that when we begin a new product development process, we start with the question “what are the requirements for cyber-security?”

As part of this process, we have developed five essential criteria for security:

  • Secured firmware - All new ComAp firmware is secured by encryption. This prevents any firmware from being uploaded into non-genuine or modified ComAp products. It also means that the controller will not accept any non-encrypted firmware when someone tries to upload it.
  • Encrypted communication - Communication through public networks (Ethernet, Internet, AirGate) is bidirectionally secured by a ComAp-developed ciphering technology CCS. ComAp’s proprietary ciphering technology is based on proven cryptographic algorithms, and it has been audited by an external security audit company, and it passed penetration tests successfully.
  • Protection against brute-force attack - ComAp’s controllers feature brute force attack detection during the user authentication process. If an attack is detected, the control unit is gradually blocked by prolonging the time between individual attempts to sign in – similar to a mobile phone preventing a user to access the phone if the PIN is entered incorrectly too many times.
  • Reliable user authentication- ComAp controllers, use authentication of unique user accounts similar to the way cyber security systems in the information technology work. All user access is logged, and any activity under a particular login is recorded. This secures tracking of all user activities in the control device but also enables highly flexible access rights management for controller administrators.
  • System security against data leakage- If an administrator loses access to the controller, a robust mechanism to retrieve the administrator access is used. This mechanism is based on a digital signature unique to the controller and requires double-factor authentication. Access can only be granted by ComAp. This prevents forgery and misuse by a non-authorised person.  
For anyone using ComAp products we also have three main security recommendations:
  • Keep product firmware up to date

We update firmware for our products for various reasons, including updating to any new security protocols, to add new features or to fix any bugs that may have been identified.

We recommend all our customers to update their controllers’ firmware to the latest version as soon as practical for their application. The software updates are available on the products’ pages on our website. Installing the new firmware is easy, and our technical support department can provide any assistance you might need.

  • Change default passwords

All ComAp controllers have a default password. This default password should be changed immediately upon installation of the controller. Do not choose a password that is easily guessed. If you need help changing the default password, consult the product manual or contact ComAp’s technical support department.

  • Use multiple user accounts

We recommend to use multiple accounts and give users minimum levels of access needed to perform his/her job functions. Individual login credentials also ensure that any actions or changes made while a user is logged in can be recorded and monitored.

Contact your local ComAp representative to see how ComAp products and services can help you maintain your power generation securely, whilst also giving you the flexibility to monitor and manage your equipment via the internet.

Our website uses cookies and similar technologies to provide you the best experience and to understand how you use our site.

You may either „Accept all“ by which you agree with using functional, analytical and marketing cookies. By pressing „Revoke“ only necessary cookies shall be allowed to enable the website and applications function correctly. To revoke your consent you can do it from footer menu in Change cookie preferences section.

You can find more information on the Cookie page and the Privacy section .