President CIO Council, is Board member and Chairman of the Cybersecurity Council of the pan European association EuroCIO. He is also the president of CIO Council Romania, member of BCS Elite, former IT&C Director for Hidroelectrica, the Romanian power generation leader and the major supplier of ancillary services required in the Romanian National Energy System. Actually Yugo is CISO of Urgent Cargus.

1. This presentation, including any supporting materials, is owned by CIO Council Romania (ADTICR) and is for the sole use of the intended CIO Council Romania audience or other authorized recipients. This presentation
may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of CIO Council Romania
(ADTICR). © 2018 CIO Council Romania (ADTICR). All rights reserved.
Cyber threats to power grids
Yugo Neumorni, EMBA, CISA
Cybersecurity Council Chairman, EuroCIO
President, CIO Council Romania
CIO, Urgent Cargus

2. Yugo Neumorni
 Urgent Cargus, CIO (2019 – present)
 Hidroelectrica, CIO, (2014 – 2019)
 Vimetco, CIO, (2004 – 2014)
 Deloitte & Touche Central Europe, IT Manager, (1998 – 2004)
 Board member EuroCIO (www.eurocio.org), 2017 -
 Chairman of Cybersecurity Council of EuroCIO 2018 -
 CIO Council President and co-founder (www.ciocouncil.ro) since 2009
 ISACA Romania President and Board Member 2007 – 2016. www.isaca.com
 EMBA, Asebuss- Kennessaw State University, 2007 - 2009
 CISA, Certified Information System Auditor, 2001, Budapest, Hungary
 CIO Council National Conference organizer (www.cioconference.ro)
 Gold Winner of the 2017 SAP Quality Awards, Fast Delivery category in CEE with Hidroelectrica.
 Speaker in IT international conferences
 Yugo Neumorni is specialized in reorganization, planning, design and implementation of complex
industrial IT environments for multinational companies. His area of expertise includes ERP (SAP)
projects, large scale IT division reorganization and development, IT security & cyber, SCADA and
industrial control systems, IT audit and IT governance, business processes in energy, aluminum and
manufacturing, COBIT framework, ITIL.

3. Agenda
• Power grid
• Smart Power Grid
• Anatomy of a cyberattack. APT
• Vulnerabilities inside SCADA/ICS environment
• Best practices. IDS pillar for Cyber Defense
• Conclusions

4. Romanian Power Grid
Collapse 1977
March 4th 1977: 7,2 Richter
earthquake Romania
• 1,578 deaths, 11,300 de wounded, 35,000
de damaged buildings
• Total damages 2 billions USD
May 10th 1977: Collapse of
national energy system
• Total damages: more than 5bn USD

5. Power grid
architecture
Tesla project Hawaii

6. • Our Society is Dependent upon Electricity
• Nuclear Power Plants Need Electricity for
Cooling
• Refrigeration
• Banking system
• Water & gas supply
• Riots
Could We Survive a Long-
Term Power Outage?

7. Power grid Outage.
Domino effect
• In the context of power grids a cascading
outage is a sequence of failures and
disconnections triggered by an initial
event, which can be caused by natural
phenomena (e.g., high wind, flooding or
a lightning shorting a line), human
actions (attacks) or the emergence of
imbalances between load and
generation. An outage that affects a
wide area or even the whole power grid
is also called “blackout” [1], and usually
occurs in a time-scale that is typically
too short to stop it by human
intervention.
• In this respect, most of the major
blackouts in power grids have been
generally caused by an initial event (for
instance, critical loads) that unchains a
series of “cascading failures” [2–7], with
very severe consequences
https://www.researchgate.net/figure/Modernized-algorithm-of-cascade-outages-development-in-power-network-with-DG_fig1_324590826
2003, New York blackout

8. • 225,000 people were left without power for approximately 6 hours on
December 23, 2015, in Ukraine.
• Spear-phishinga schemes, malware, and manipulation of long-known
Microsoft Office macro vulnerabilities
• Collected the credentials to gain access to SCADA systems
• Virtual workstations inside SCADA systems that were trusted to issue
system commands
• Co-opting remote terminal units within SCADA systems to issue “open”
commands to specific breakers at substations
• Severing communications by targeting firmware in serial-to-Ethernet
devices
• Installing and running a modified KillDisk program that deleted
information on what was occurring while making recovery reboots nearly
impossible
• Shutting down uninterruptible power supplies at control centers
• Executing a large denial-of-service attack on utility call centers that
prevented customers from reporting outages
• Spear phishing is a targeted email that appears to be from a known
business or individual
Attacks on DSOs.
Ukrainian power grid attack
Photo: https://https://thehackernews.com/2016/01/Ukraine-power-system-hacked.html
Photo: https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

9. Attacks on Bowman Avenue Dam, NY
• The attacker gained unauthorized access to the SCADA system and was
able to obtain information on operations, including water levels,
temperatures and the status of machinery
• hackers linked to the Iranian Government
• The attacker managed to reach the OT system without being
identified. In addition, he managed to access and manipulate the OT
system without raising any suspicion.
• Deficient peripheral cyber defenses for industrial control systems,
automation computers and Operational Technology (OT) at the dam
• Lack of effective real-time monitoring and responsiveness
• Lack of effective incident response measures

10. Attacks on TSOs / National Dispatch
Photo: https://www.energy-storage.news/news/proposal-for-2gw-of-ev-chargers-and-batteries-to-connect-to-uks-transmission

11. Power grid failures

12. Aurora Experiment 2007
“In 2007, an
American experiment
had shown that it
took just twenty-one
lines of code to
physically destroy a
power generator …”
Klimburg, Alexander.
The Darkening Web:
The War for
Cyberspace (p. 206).
Penguin Publishing
Group.
Photo: https://www.muckrock.com/news/archives/2016/nov/14/aurora-generator-test-homeland-security/

13. CIA plot led to huge blast in Siberian gas pipeline in 1982.
Myth or reality?
• 1982 the most monumental non-
nuclear explosion seen from space
• Soviets tried to steal hardware
embedded software for ICS
• CIA manipulated the software and
allowed to be stealed
• First ever “logic bomb”
• Piece of code that had been
programmed to turn malicious that
massively increased the pipeline
pressure, eventually leading to the
explosion
• Story not confirmed official
The Darkening Web – Alex Klimburg. Photo: amazon.com

14. Industry 4.0?
• We are living the 4th Industrial Revolution
• Humanity will change more in the next 20 years
than in the past 300 years (futurist Gerd
Leonhard)
• The world will have 50 billion connected devices
by 2020 (outdated)
• Internet is a platform of objects
• Smart city; Smart grid; Smart everything
• Smart electric Connected cars into Internet of
Things
• Flying drones; No more smartphones
• Smart clothes; Smart shelves; new shopping
experience

15. European energy system in figures
2015
https://setis.ec.europa.eu/system/files/integrated_set-plan/communication_energy_union_en.pdf
Reliance
94% percent of
transport relies
on oil products,
of which 90% is
imported
94%
Energy inefficient
75% of our
housing stock
is energy
inefficient
75%
Imports
EU imported 53% of
its energy at a cost
of around EUR 400
billion, which makes
it the largest energy
importer in the world
53%
 Six Member States depend on a single
external supplier for their entire gas
imports and therefore remain too
vulnerable to supply shocks.
 Every additional 1% increase in energy
savings cuts gas imports by 2.6%.
 Collectively, the EU spent over EUR 120
billion per year – directly or indirectly – on
energy subsidies, often not justified.
 Over EUR 1 trillion need to be invested
into the energy sector in EU by 2020 alone
https://setis.ec.europa.eu/system/files/integrated_set-plan/communication_energy_union_en.pdf
THE WAY FORWARD
 Energy security, solidarity and trust;
 A fully integrated European energy
market;
 Energy efficiency
 Decarbonizing the economy

16. European energy system
• “Expanding and improving Europe’s energy networks will be vital for
Europe’s transition to a low-carbon economy. Smarter distribution
grids will be needed to integrate increasing amounts of decentralised
generation, electric vehicles and heat pumps into the network and
encourage consumers to actively manage their energy demand. This
will require additional investment in new infrastructure.”
• “According to figures from the International Energy Agency, the
investment needs in the European distribution network will amount to
480bn euros up to 2035.”
https://setis.ec.europa.eu/system/files/integrated_set-plan/communication_energy_union_en.pdf

17. Future Electric Power Grid
http://l-it.hu/hir/Megujulo_es_takarekos_-_Energiatakarekos_Magyarorszag

18. Future Smart Power Grid
• Mix of Information and Communication
technologies with Power system technology
• Real-time, two-way communications
throughout the grid
• Intelligent devices continually interacting with
each other creating an enterprise-wide
information system
• Allow utilities to understand, optimize, and
regulate demand, supply, costs, security and
reliability
• Grids are "smart“- they don't only transport
electricity but also information

19. Future power grid concepts and challenges
• Power is no longer fully generated from
centralized and conventional thermal power
plants. It is increasingly produced from variable
renewable sources connected at distribution level.
• Distribution system operators (DSOs) and
suppliers are no longer the only players serving
consumers. With the liberalization of end-user
markets, new players (ESCOs, aggregators,
technology companies, etc.) have progressively
entered markets, competing to offer services to
consumers.
• Many consumers are no longer passive recipients
anymore. On the contrary, they are becoming
more active and are increasingly interested in
value-added services beyond energy.

22. Checkpoint Security Report 2018
https://www.checkpoint.com/downloads/product-related/report/2018-security-report.pdf

23. Checkpoint Security Report 2018
97%
of organizations are
using outdated cyber
security technologies
64%
of organizations have
experienced a phishing
attack in the past year
59%
of companies consider
ransomware to be their
biggest threat
24%
of companies have
experienced a DDos
attack
32%
of government offices
were victim to a data
breach in the past year
300
apps in the Google
Play store contained
malware and were
downloaded by over
106 million users
100%
of all businesses have
had a mobile malware
attack
82%
of manufacturers have
experienced a phishing
attack in the past year
94%
of companies expect
attacks on mobile
devices to increase
77%
77% of it professionals
feel their security
teams are unprepared
for today’s cyber
security challenges
https://www.checkpoint.com/downloads/product-related/report/2018-security-report.pdf

24. Cyber attacks on oil and Energy

25. http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

26. Case: Dragonfly/HAVEX - 2013
• Where: U.S. and Europe
• Target system:
• power grid and petrochemical asset owners
• devices on TCP ports 44818 (Omron, Rockwell Automation), 102
(Siemens) and 502 (Schneider Electric)
• Attack vector: vendor websites and spear phishing in the
form of e-mails with PDF attachments
• Impact: > 2,000 sites (1,000 energy companies in 84
countries)
• Key facts:
• leveraged legitimate functionality in the OPC protocol to map out
industrial devices
• no physical disruption or destruction of the industrial process

27. Case : Sandworm/Blackenergy 2 - 2014
• Where: U.S. and Europe
• Target system:
• power generation site owners / operators
• large suppliers and manufacturers of heavy power related materials
• HMI applications including:
• Siemens SIMATIC WinCC (V7.0, V7.2, V7.3) PCS 7 (V7.1, V8.0, V8.1), TIA Portal V13
• GE CIMPLICITY Version 8.2 with SIM 23 and prior
• Advantech WebAccess
• Attack vector: phishing campaign/ known or 0-day vulnerability in Microsoft Windows
• Impact: multiple systems of NATO, European Union, and energy sectors
• Key facts:
• Advanced Persistent Threat Toolkit to develop modular malware;
• capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive
plugins, certificate stealer and more

28. Norsk Hydro held hostage by a ransomware attack
• Norsk Hydro has suffered a huge blow as its operations
across Europe and the U.S have been affected by a cyber
attack.
• The company has confirmed that a ransomware has taken
hold of their systems and compromised
its cybersecurity framework.
• Norsk Hydro has called the situation “quite severe” and
plans to restore its systems using backup data
Did not pay the ransomware
Norsk operated on manual
Norsk restored from backups

29. CYBERATTACK ON A GERMAN STEEL-MILL
In late 2014, a German steel mill
was the target of a cyberattack
when hackers successfully took
control of the production
software and caused significant
material damage to the site.
https://www.sentryo.net/cyberattack-on-a-german-steel-mill
 The attackers first hacked into the office software network of the industrial site ;
 Starting from this network they then penetrated the production management software of the steel mill ;
 From there they took over most of the plant’s control systems ;
 Once in control, they methodically destroyed human machine interaction components. They succeeded in
preventing a blast furnace from initiating its security settings in time and caused serious damage to the
infrastructure.

30. Anatomy of a cyberattack. APT
Motivation for an attack:
• State-Sponsored Actors;
• Cyberterrorists
• Cybercriminals
• Hacktivist
41%
27%
26%
26%
24%
20%
11%
Motivation
Ransom Insider threat Political reasons
Competition Cyberwar Angry users
Unknown
Stages
• Reconnaissance
• Enumeration
• Penetration
• Escalate privileges
• Command and Control
Communication
• Lateral movement
• Exfiltration
• Sanitation
Assume breach!

31. APT. Reconnaissance. Entry point!
• Companies exposed by public info posted:
– Public websites
– Social networks
– Public acquisition website
• Public info released are used to profile
company and security systems
• CxO are profiled by
– Social networks
– Public info
• Companies are profiled

32. Cybercrime industrialized
• You can get someone’s complete health insurance data by paying $1,250.
• For just $7/hour, you can unleash a Distributed Denial of Service attack on
your competition.
• You can purchase US Fulz records (someone’s identity, passport, SSN, and
others). You can get all that for around $40.
• You can also get 10,000 fake Twitter followers for $15.
• And if you want access to a government server, that can be had for $6.
• You’re dealing with professional organizations that: Provide 24/7
customer service; Offer free trial attacks to demonstrate their prowess;
Payment after the successful attack once you are satisfied with the results.
• The cost of cybercrime in 2016 is estimated to be around $445 billion, and
it is predicted to increase to around $2 Trillion globally by 2019. 3 These
estimates only include known attacks, not undetected cybercrime,
industrial espionage, or state-sponsored attacks.
http://www.oracle.com/us/technologies/linux/anatomy-of-cyber-attacks-wp-4124673.pdf

33. APT – attack vectors.

34. APT – attack vectors. Social engineering

35. You are for SALE!
MIT Initiative on Digital Economy – 2018 Platform Strategy Summit

36. Critical Infrastructure / Energy sector – Easy of exploitation
• SCADA Systems are “insecure by design”
• PCs run 24*7 without security updates
• Some times antivirus is missing
• Multiple entry points: USBs, laptops,
maintenance connections
• Insufficient segmentation of the networks
• Absence of encryption in earlier
communication protocols (plain text is
often utilized)
• Legacy industrial Control Protocols without
authentication or authorization
• Security is still immature in SCADA/ICS
networks unlike IT enterprise
• Control engineers an Field operators have
little understanding of Cyber Security photo: DTS Solution

37. Critical Infrastructure / Energy sector – Easy of exploitation
Photo: DTS Solution
Threats are multidimensional:
• Default passwords
• Internet connectivity all kinds of SCADA systems
from HVAC to webcams
• 3rd party remote access
• USB infected removable media
• Insecure SCADA devices
• Enterprise IT Business LAN connected to Control
Systems Network
• Legacy Windows Based OS (Windows NT, XP)
• Systems are lasting longer than in the past. HW/SW
are operating beyond their supported lifespan.
Sometimes impossible to be replaced.

38. The best practices
• Make Sure Network Security and Firewalls
Are In Place
• Regularly Update Your Network Security Tools
• Establish a Incident Response Crisis Plan
• Cyber strategy and regulations for utility
companies
• Educate Your Employees
• Separate OT and IT
• Segmentation and traffic controls in ICS.
• Control networks divided into layers
based on control function. (ANSI/ISA-99)
• Add hardware security appliance (PLC,
DCS, RTU) instead of software
• Risk analyses. Permanent Audit and Pen
tests.
• Improve security awareness on C-level
• Improve security awareness on industrial
systems and operations (SCADA)
• Improve security awareness on industrial
systems and operations (SCADA)
• Implement strong Security Policy
INTRUSION DETECTION SYSTEMS
Active defense. Real-time threat detection
and autonomous response
False positive vs False negative
AI, machine learning, data mining
Anomaly detection model
Misuse detection model

39. Cybersecurity – common pitfalls
• 75% of experts consider cybersecurity to be a top
priority
• 16% CxO say their companies are well prepared
to deal with cyberrisk
• US Gov - cybersecurity as “one of the most
serious economic and national security
challenges we face as a nation.”
• Third party suppliers – weakest links
• Billions of new entry points to defend
• Delegating the problem to IT.
• Cyberrisk needs to be treated as a risk-
management issue, not an IT problem
https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world

40. Security is a culture!
Security = People + Process + Technology
Business impact analyze
Selling cyber security is hard. KPIs and Budgets
The executive should be aware of cyber security.
Policies and Procedures
Security is a culture!

41. Cybersecurity starts at kindergarten

42. This presentation, including any supporting materials, is owned by CIO Council Romania (ADTICR) and is for the sole use of the intended CIO Council Romania audience or other authorized recipients. This presentation
may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of CIO Council Romania
(ADTICR). © 2018 CIO Council Romania (ADTICR). All rights reserved.
Q&A
Yugo Neumorni, EMBA, CISA
Cybersecurity Council Chariman, EuroCIO
President, CIO Council Romania
CIO, Hidroelectrica