On 20 February this year I had the opportunity to publish a guest post on the ICS Cyber Security blog. In the post, I deduced that there might be a connection, based on a case that at first sight seems far removed from cyber security – the 8 January split of the single European electricity system into two parts.
Over the last six months or so, the continental expert investigation into what happened has continued. The final report of the investigation, published on 15 July, revealed, among other things, the following:
- the current reading seen by the dispatchers was less than the actual reading, so the dispatchers may not have been aware that the load on the network element that was finally disconnected was actually close to the tripping limit, and
- while the SCADA polling times were correct, the alarm limit setting was not perfect.
Let’s examine these more closely!
Fooling dispatchers by spoofing process sensor signals hasn’t been a problem for Stuxnet for over 10 years!
During the attack, the rpm of the uranium centrifuges could vary between high and low values (causing them to fail) without the dispatchers having any idea.
Sub-optimal alarm trigger values may also have made it difficult for dispatchers to correctly and in a timely manner identify an emerging hazardous operating condition.
It cannot be claimed that these two factors were the direct cause of the system failure on 8 January. And the investigation has completely ruled out the possibility of a cyber attack
However, both factors can be said to
significantly delay or reduce the chance that dispatchers will recognize the abnormal operating state caused by the attack, or the attack itself, if manipulated by the attacker (as we have seen, not without precedent) during a potential attack.
In fact, the first case also confirms that the protection of technology-enabled devices and systems and the guarantee of their integrity, as indicated in the previous post, may indeed be justified.
In the light of the above, there is no reason to reconsider the view expressed in the February post that
even the failure of a single transmission network element – or its pronouncement as a component of a cyber attack – could be the cause of a serious system disruption.
In addition, developments over the last year or so that have highlighted the growing vulnerability of the supply chain require increased attention. It is important to be aware that by exploiting these vulnerabilities, potential attackers may gain new means to cause a system disruption, e.g. by tampering with a critical element of the electricity network.
We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, a substantive professional exchange of views could be initiated.