On April 28, 2020, during the Covid-19 pandemic, the Brazilian holding company of the Energisa group, which specializes in operations in the electricity sector, suffered a cyber attack.
The report for the first quarter of 2020 briefly mentioned the incident under the heading “Effects of COVID-19 and Subsequent Events”.
Under the heading “Cyberattack”, it appeared in the document with the following description: “Computer systems suffered a cybersecurity event on April 28, 2020. The company temporarily shut down the systems in response to the event. The attack did not affect the operational cyber protection network in the electricity grid or its other components. We have returned 100% of the main systems. There is no evidence of data loss or leakage of commercial or third-party data. Forensic investigation being conducted and implementation of reinforcements to security systems.”
Although short, this record reveals a lot about the incident.
The sentence of most interest to the subject of our article is about the “operating network”.
The one that controls the company’s operations with electricity, in its 12 transmission concessions in 9 states and distributors in 11 states, serving around 20 million users.
Cyber security in the electricity sector is crucial.
This means that the attack did not reach these energy transmission and distribution operations, which are part of the country’s critical infrastructure.
They were safe.
The importance of cyber security in the Brazilian electricity sector
Many other attacks have already taken place targeting the Brazilian electricity sector.
In February 2021, Eletrobras informed the market that a cyber attack had also hit its subsidiary Eletronuclear, responsible for the nuclear power plants in the Angra dos Reis complex.
But there was no impact on the operation of its units.
Energy services and operations, like telecommunications, are part of what we call critical infrastructure worldwide.
Organizations whose interruptions can represent damage to society.
Companies in Brazil have already digitized a large part of their electricity generation, transmission and distribution operations.
The automation process is still underway; it also benefits all consumers with rapid responses to cut off, stabilize or restore the supply.
Even household consumption meters are now digital, to enable operations at the end customer’s end, including the reading of this consumption.
The increasing digitalization of operations in the electricity grid, both in Brazil and in other countries, therefore requires sophisticated protection against cyber attacks.
In addition, cyber protection in the electricity grid is vital for many critical infrastructure operation networks that operate without any contact with the Internet, which in turn greatly reduces this risk.
But many need this contact, for a variety of reasons.
Still, even those physically isolated from the Internet need the same layers of protection as networks connected to the web, to prevent any possibilities of intrusion.
Even if the possibilities are theoretically remote .
Internet isolation and cybersecurity in the electricity sector
The Iranian government’s uranium processing plant in Natanz province was isolated from the Internet.
But even in isolation, malware contaminated the plant’s data network in 2010, introduced via a USB stick.
The malware damaged the mineral centrifuging and refining machines, speeding them up beyond their limits and thus delaying the country’s nuclear program.
The effects of this malware, nicknamed Stuxnet, were supposedly in the interest of Israel and the United States, but it has never been proven that these countries were responsible for its development.
Even so, we need to protect even well-isolated critical infrastructure networks in the same way as everyone else, as the incident has shown.
In Brazil, guidelines on this subject are published and monitored by AneelThe National Electric Energy Agency is the regulator of the electricity sector.
The agency is the reference body for around 750 generating, transmission and distribution companies of all sizes.
Three years ago, the agency published a resolution outlining the policy for cyber security to be adopted by companies in the electricity sector. Establishing the fundamental guidelines on cyber security for the Brazilian grid. One of the items in this resolution is that all companies must plan their cyber security to prevent, mitigate and recover from incidents on their networks, and so that incidents do not affect their operations.
Implementation of minimum cyber security controls
It’s not a simple mission, but it’s essential. The sector calls this environment of digital operations with electricity a ‘regulated cyber environment’ and obliges it to operate using the ‘minimum cyber security controls’ that the National Electric System Operator (ONS) has determined, which is responsible for coordinating and controlling the operation of electricity generation and transmission in the country. In July 2021, the agency announced these minimum controls, with a deadline of 24 months for implementation. 24 items, including implementing access control with strong passwords on control systems, changing network addressing in operation, changing database passwords, changing device passwords, having a directory system for automation and other security improvements.
Until Aneel published these “minimum controls”, the sector had no major cyber security obligations. Only one item in the ONS’s “Network Procedures” dealt with this issue, and even then in a broad and generic way. The publication of this new “routine” in 2021 has reoriented the entire sector. Bringing clarity and determining the implementation of well-structured cyber protection in the electricity grid in all companies in the electricity sector.
Global cyber blackout
In relation to the cyber blackout, which affected systems and services in Brazil and around the world, ANEEL reported that there was no impact on its computer systems, databases and customer service platforms, so that activities continued to operate normally. There was also no impact on the National Electricity System Operator (ONS) and, as a result, there are no problems in the operation of the National Interconnected System (SIN). According to the Brazilian Association of Electricity Distributors (Abradee), the global cyber instability that occurred on Friday morning (19/07) temporarily impacted the customer service systems of some companies in the distribution segment. The energy supply service in Brazil, however, was not affected. The distributors are on standby and mobilized to reduce any possible impacts.
ANEEL reports that Normative Resolution No. 24 came into force in 2021. It sets out the cyber security policy to be adopted by agents in the electricity sector. According to ANEEL regulation no. 964, concessionaires, permit holders and those authorized to provide electricity services or installations and the entities responsible for operating the system, selling electricity and even managing funds from sector charges must draw up a cybersecurity policy. To prevent, mitigate and recover cyber incidents on your critical information network or installation network so that incidents do not affect your operation.
Also on Thursday (18/7), ANEEL held a webinar on the system for monitoring serious incidents, cyber security and prolonged outages (OSCIP). The above actions demonstrate that ANEEL has been improving its corporate systems and requiring companies to adopt the best possible practices in the face of vulnerabilities to cyber attacks.