In recent years cyberspace has become the dominant battleground between governments, terrorist groups and black-hat hackers. From cyber-attacks like WannaCry that just weeks ago unleashed havoc across the World Wide Web, to attacks that bombard hundreds of thousands of computers on a daily basis – the significance of the cyber realm has never been as great as it is now. Some industries managed to adapt to this sweeping new trend of threats, others, like the energy industry, have been lagging behind. Yet recent advances in cryptography, such as the blockchain technology, may provide a revolutionary answer to the cyber weaknesses of the energy industry in general and critical energy infrastructure in particular.
While the scope and impact of cyber-attacks has rocketed in the last years and there was hardly a single industry untouched, the energy sector has been hit particularly hard. According to an Energy Survey conducted by TripWire in 2016, almost 80 percent of respondents coming from the oil & gas industry acknowledged an increase in the number of successful cyber-attacks their organization has experienced over 2015. More importantly, 83 percent of energy security professionals were not even confident that their organization had the ability to detect all cyber-attacks.
Unsurprisingly, in recent years the energy industry has been targeted by a number of high-profile cyber-attacks. In 2012, Saudi Aramco, one of the world’s largest oil companies, has been hit by a sophisticated computer virus called Shamoon, which not only managed to wipe the hard drives of 35,000 computers, but also forced the staff to turn to fax machines and typewriters for communication purposes. More recently, in 2015, a hacking group known as Sandworm managed to take down an electricity distribution grid in the western part of Ukraine and left 225,000 customers for around six hours in the dark.
These and other high-profile cyber-attacks are, however, only the tip of the iceberg. Most attacks against the energy industry go unnoticed, because often for the attackers there is little rationale to cause damage that will attract immediate attention. Rather, perpetrators are more interested in spying on energy companies or probing for structural bottlenecks in their systems. The majority of energy companies are also seemingly reluctant to publicly announce that their security has been breached, because it could be detrimental to their business. Hence, the bulk of cyber-attacks against the energy industry are bound to remain well outside the public eye.
Underdeveloped security systems
The energy industry has become a favourite target for cyber-attacks partially because most of its participants run notoriously outdated software, which lacks adequate security controls. For example, a recent U.S. News & World Report showed that most of the electric utility companies in the United States still ran the Windows XP version as recently as 2014, though the operational system was first introduced in 2001. More worrisome, there were recent reports of companies running antiquated operating systems like Windows 98 and even older at certain points of their supply chains.
The hardware part is equally vulnerable. Industrial control systems were first introduced in the 1960s and quickly became widely used to monitor and control equipment in industries such as manufacturing, electricity transmission, and oil & gas, to name a few. But most industrial control systems that are currently in use have been manufactured and installed decades ago, and have not been equipped to deal with the risks of the here and now.
Likewise, the dawn of the Internet of Things in the 2000s allowed companies to greatly improve the efficiency of its equipment. But it has also made its systems more vulnerable to external meddling because it opened more entry and exit points to hitherto closed-loop systems. Nowadays a simple targeted search engine can uncover hundreds if not thousands of publicly accessible logins to equipment that is connected to the internet.
There are numerous ways in which the energy industry sought to tackle these cyber-security threats. Firewalls and antivirus software are possibly one of the most popular means of preventing malware from gaining access to industrial control systems that are connected to the internet. However, firewalls can be relatively easily bypassed by using rootkits, which create backdoors between the perpetrators and the targets, and antivirus software can be tricked by malware that changes its digital signature. As a result, malicious software can avoid being detected, incur damage and not ever attract the attention of the victim.
Granted, it is possible to establish a so called ‘air gap’ which would physically disconnect the industrial control systems from the internet, but the obvious problem with this radical solution is that it would vastly reduce the effectiveness of the system and put the user at a competitive disadvantage vis-à-vis its competitors. Also, as the infamous Stuxnet attack of 2008 has proved, even closed loop systems can be compromised.
Blockchain, a revolutionary technology
However, distributed ledger technology or blockchain technology, as it may be more commonly known (though some purists would say it’s not the most precise description), might provide a revolutionary answer to cyber-security.
The blockchain is possibly one of the most ingenious cryptographic innovations of the last decades, which was the brainchild of a person or group of individuals known under the pseudonym of Satoshi Nakamoto. So far blockchain technology has directly led to the creation of such wildly popular cryptocurrencies like the Bitcoin or Ethereum, with the latter also acting as a powerful open software platform that allows a streamlined creation and use of decentralized smart contract applications. These and similar digital paying systems have facilitated not only the exchange of money, but also that of content, property, shares or anything else of value.
The reason why the blockchain is such a revolutionary technology is because it radically alters the way data has traditionally been handled. To date, most information has been stored in centralized databases, which in effect meant that every single line of code that was written, regardless if it was for a simple website or a platform with advanced architecture, it was located, stored and maintained in one single location. In fact, this category of databases represents more than 90% of the current database market. But the problem with centralized data storage systems is that if a malicious software manages to infect it or its administrator, the malware may easily tamper with the information and cause irreversible damage. True, data backups can ensure that the information can be restored to its original status, but by the time this is done, the malware could have already accomplished its purpose.
A tamper-proof chain
Yet with the advent of the blockchain technology, or to be more precise, distributed ledger technology, data storage has changed completely. By definition, a blockchain is a chain of blocks that contains batches of valid and “time stamped” transactions. Each block includes the hash of the previous block of the blockchain, linking the two into a linear sequence over time. The linked blocks form a chain and this is where the database receives its name from. Also, these blocks are shared among many different parties and can only be updated by a consensus of the majority of the participants in the system and cannot be altered or erased once entered. In other words, a blockchain is a transparent and permanent database that cannot be corrupted.
However, unlike in centralized databases where information is stored in a single location, on distributed ledger databases such as the blockchains, information is replicated, shared and synchronized throughout multiple sites, countries, or institutions. As a result, there is no single overarching administrator or centralized data storage.
The immediate implication of this way of storing data is that it is tamper-proof. It cannot be altered by malicious actors because it doesn’t exist in any single location, and man-in-the-middle attacks (when a communication between two systems is intercepted by an outside entity), cannot be carried out because there is no single thread of communication that can be intercepted. Hence, the security of such decentralized data storage platforms is greatly improved.
A rapidly spreading technology
Given the tremendous potential of the blockchain technology, it is hardly surprising that numerous blue chip companies have been trying to harness the technology’s untapped potential for other than cryptocurrency purposes. The technology behemoth IBM is currently working on blockchain based solutions that will soon allow consumers to verify their identity for services such as new bank accounts, driver’s licenses or utilities, all while vastly enhancing their privacy and security. Also, NASDAQ, the U.S. based financial services provider, has just recently succeeded in launching an e-voting pilot test in Estonia, which in the long run could revolutionize the way elections are held.
More importantly, in the very near future blockchain technology will likely alter the way critical energy infrastructure is protected from cyber threats. The U.S. Defence Advanced Research Project Agency, better known by its acronym DARPA, has in recent years made significant investments in start-ups that work on developing blockchain based security systems. The promise is that in due course it will be possible to implement a wide range of security solutions that will not only completely eliminate code injection attacks, but also give rise to tamper-proof computer systems for safeguarding all kinds of critical energy infrastructures, including nuclear plants or oil refineries. This, in turn, would irreversibly alter the rules of the game as traditional malware attacks against industrial control systems that are wired to the internet could be more or less rendered obsolete.
Granted, some of these non-finance related blockchain solutions are at a relatively early stage of development and implementation. But given the size of the blockchain technology market which in 2024 is expected to reach more than $7.7 billion and the colossal security implications that it will have, the question whether these technologies will irreversibly alter online privacy and security is no longer if, but when.
A system is as strong as its weakest link
However, the blockchain as a standalone technology should not be viewed as a panacea. It can only have a tangible industry-wide impact within a genuine business ecosystem that could support a broad spectrum of cyber-security solutions. This requires a profound paradigm shift which would start treating cyber-security as an integral overall business strategy element, rather than an isolated issue that is delegated to the IT guys at the back office. Likewise, companies should continue paying more attention to traditional cyber-security threats, because as the saying goes – the system is only as strong as its weakest link.
The significance of cyber-space is unlikely to waver anytime soon. Quite the opposite. It is more likely than not that in the years to come there will be an increasing number of ever more powerful cyber-attacks that will haunt the already besieged energy industry. However, blockchain technology provides a glimmer of hope for companies that wish to protect their critical energy infrastructure. Given its unorthodox and decentralized nature, blockchains may lead to the emergence of efficient and tamper-proof computer systems, which can protect industrial control systems that benefit from the Internet of Things.
Finally, it is worth keeping in mind that even if some energy companies are not interested in their cyber-security, the same may not be true for hostile governments, terrorist groups and malicious black-hat hackers.
The views expressed are the author’s own and not necessarily those of the North Atlantic Treaty Organization