10 minute read
Your power hangs by a bit
// Julia Fomin (nee Vainio)
For modern societies, steady flow of electricity is essential. The infrastructure that upholds the entire electricity supply chain from production to distribution is considered as critical infrastructure, and it is regulated closely. As the technology used to maintain the system develops, it provides more surface layers for both kinetic and non-kinetic attacks. Disrupting this supply chain would have cascading effects across society.
Advertisement
In the past, security discussions around electricity systems have mainly focused on physical incidents in electricity networks and cyber incidents in information technology (IT) systems. Today’s electricity systems consist of integrated energy and communication networks, thus requiring an integrated view on physical and cyber requirements. The entire supply chain for electricity includes a variety of companies that organise the production, trading, marketing, transmission, and supply of electricity. An increased cross-border integration of markets, the digitalisation of operations, legacy systems and the real-time system impact with minimum disturbance requirements will place significant burden in securing the sector from cyber threats.
Cyber threats against individual power plants and electricity grids are well-known and documented. There are several regulatory contexts in the EU and the US in which cyber security risk mitigation frameworks and compliance measures are introduced and addressed. Of these, the EU’s Network and Information Systems Directive (NIS Directive) from 2016 is one of the most prominent set of rules. The NIS Directive is currently undergoing a revision, with a proposed directive hopefully being implemented in the coming months.
Even as electricity grids and networks have been established as critical infrastructure and vulnerable to cyber attacks, the market aspect of the formula is often left unaccounted for. Risk analyses and cyber threat reports draw our attention to cyber risks related to Supervisory Control and Data Acquisition (SCADA) systems of individual power plants, or DDoS attacks on the physical grid and utilities. Those institutions and establishments that deal with the business side of balancing the supply and demand of electricity remain often outside the scope of interest. It is somewhat as if a risk analysist would describe in high detail cyber risks related to individual public companies and their supply chains and failed to mention the possible repercussions of Nasdaq being hit by a debilitating cyber attack.
HOW IS POWER TRADED?
A power exchange is essentially a trading platform that aims to satisfy the supply and demand for electricity in a market-efficient manner. In the European Union’s internal energy market, Nominated Electricity Market Operators (NEMOs) act as market operators in national or regional markets. According to the EU Regulation 2015/1222 of 24 July 2015 (CACM Regulation), NEMOs work closely with Transmission System Operators (TSOs) to ensure security of energy supply, increasing competitiveness, affordable prices, and proper functioning of coupled markets. Power exchanges are most often done through Day-ahead and Intraday markets. To read more about the Day-ahead and Intraday trading, see the attached info box. Essentially, Day-ahead markets have so far been the more common ones, where potential buyers and sellers place their bids before the day’s market, hence the name Day-ahead. With the rise of intermittent sources of electricity and digitalisation of the electricity system, the Intraday market is gaining in popularity. Within the intraday-market, the bidding and selling is done nonstop, thus making the market more responsive.
For the future, the EU has set a goal of a fully integrated internal energy market, which would facilitate cross-border energy trading with a non-discriminatory market access. Opening the market to various aggregators, prosumers, and distributed renewable generation requires greater use of ICT, such as various flexibility platforms, and a switch from Day-Ahead markets towards more real-time exchange of data on Intraday markets.
Another key development is the rapid pace of digitalisation of the European energy infrastructure and market. New technologies such as distributed renewable generation, smart metering, virtual power plants, and Internet of Things systems topped with prosumers and decentralisation of energy systems will bring forth greater flexibility and efficiency.
WHY SHOULD WE BE WORRIED?
Switching from Day-ahead market logic towards more Intraday trading can significantly improve the effectiveness of power generation, transmission network management and market related tasks. Response times become shorter and technical advancements make quick responses to outages possible. However, digitalisation of the energy sector translates to increased exposure to cyber incidents and attacks. Widespread connectivity and data collection require increased data security for customers, systems, and assets.
Because power exchanges and electricity grid operations are thoroughly interlinked, a sudden loss of visibility to either part of the power exchange – Day-ahead or Intraday – would have very severe consequences for the entire supply chain. Both TSOs and distribution system operators (DSO) would have limited information on where to deliver electricity to, and how much. Cross-border trade would suffer and there might be a risk of disbalancing the entire electricity system.
WHAT THREATS ARE THERE?
Power exchanges are a lucrative target for several different malign actors. Disrupting the exchange and thus corrupting the information TSOs and DSOs depend on for deliveries would benefit both Advanced Persistent Threat (APT) actors as well as hacktivists or criminals targeting the exchange for ransom. Infiltrating into the system and manipulating the existing exchange data could yield significant monetary returns for criminal groups or individuals.
NEMOs operating power exchanges are subject to similar cyber threats as any other critical infrastructure provider. These include social engineering efforts, like the general office ICT-system hacks in Ukraine in 2015, through which the attackers gained access privileges to the SCADA and field systems; or exploitation of vulnerabilities in the outsourcing chain, like the recent massive Solar- Winds hack, and the Windows Exchange vulnerability have demonstrated. In the Microsoft Exchange Zero-Day attacks, adversaries have been able to access email accounts, steal data and drop malware on target machines for long-term remote access. According to various researchers, electricity companies are found among the inflicted parties.
Recent events show how operators close to power exchange operators have already been hit. In May 2020, ELEXON, a company that facilitates payments on the UK electricity market, fell victim to a cyber attack, when attackers using ransomware programme REvil, managed to access the company’s internal IT systems. The company had been running an outdated version of Pulse Secure, which was the backdoor the attackers exploited to gain access to the system. To the company’s good fortune, their Balancing and Settlement Code (BSC) Central Systems – essentially the systems that capture data on actual supply and demand volumes so ELEXON can bill the parties involved in either Day-ahead trading or Intraday trading correctly – are hosted and operated by a third-party service provider.
In this case, there were no communications link or data traffic between the BSC Central Systems or the internal ELEXON network which was compromised. The attackers later published confidential files and data, such as files containing staff passports, analysis data and enterprise renewal applications. Had the attackers gained access to the transaction data, they would have been able to disrupt one of the core functions of energy supply markets.
There are types of attack vectors that could be particularly harmful if targeted towards power exchange operators. These are called False Data Injection (FDI) attacks, which can carry two types of motivation for the attacker: general damage and monetary gains.
The cyber security of electrical networks has become increasingly challenging for TSOs because of the increased integration of communication devices into smart grid systems. Smart grid measurement devices in the field send data to the closest data collector device (an IP-based router) using radio frequency signals. This collected data is transferred to central energy management system by using a SCADA system. SCADA systems use firewalls to secure their communication networks. There are many possibilities for cyber attacks during this data exchange from disrupting radio frequency devices to manipulating the firewall systems.
If an attacker would be able to gain knowledge of all system configuration information, such as grid topology information, system parameters, details of the state estimation algorithm and bad data detection, it would have the ability to manipulate all meter measurements and launch a successful false data injection campaign. However, in real life this is rarely the case, and the attacker has less-than-perfect system information and constraints.
Figure 1 AHMADIAN et al. 2019 Modelling Cyber Attacks on Electricity Market Using Mathematical Programming with Equilibrium Constraints
An attacker, who would then participate in a virtual bidding process on either Day-ahead or Intraday market, would inject the false data into electricity grid’s measurement devices. The idea would be to buy virtual power at lower priced nodes and sell it back at higher priced nodes. To avoid detection from the TSO, the attacker would need to take into consideration the actual physical constrains in the given power system, such as load balance and power flow constraints. The aim of the attacker would be to inject false data into the measurement system to maximize its profit by trading in the Day-ahead and Intraday markets. Figure 1 illustrates the Inter-correlation of false data injections and attacker's profit as virtual bidder.
WHAT CAN WE DO?
An adequate level of cyber security should be a non-negotiable part of any modern power exchange’s security strategy. Power exchanges provide a critical factor in the constant availability and affordability of electricity. As European Cyber Security Strategies and NIS directives show, there is a strong need for normative instruments from both European and national authorities. These can include rules, regulations and directives, obligation for audits, or mandatory cyber security schemes. Economic instruments, such as clear financial incentives for reaching set goals could provide a lucrative target for market actors.
Power exchange companies themselves must implement a ‘security first’ approach in design, and demand this from their subcontractors and new market entrants, such as smart meters which integrate energy and communication systems in their design. Power exchange ICT-personnel need regular training on cyber security matters. In addition, there needs to be increased cross-border exchange of information between NEMOs on cyber security frameworks and best practices, as well as clearly defined contact persons for any affected customers or shareholders in case of an incident.
WHOLESALE ELECTRICITY MARKETS
In the Day-ahead market, a closed blind auction is conducted once a day, all year round, with the aim of trading all hours of the following day during that auction. Succeeding the auction, NEMO produces aggregated curves based on the willingness of participants to sell or buy electricity at their determined volumes and prices. Then a single price for each hour is set where the curves for sell price and buy price meet, considering network constraints.
Members of the power exchange trade most of their electricity through Day-ahead markets. Most common members include utilities, municipal and regional suppliers, banks and financial service providers, electricity trading companies, energy-intensive industries, transmission and distribution system operators, and aggregators with either power plant pools or virtual power plants.
Intraday market is a continuous trading spot, where market participants trade 24 hours a day with sameday deliveries. This method allows for a high-level of flexibility, as electricity can be traded up to 5 minutes before delivery and through hourly, half-hourly or quarter-hourly contracts. Intraday markets have become more popular as energy transition has evolved. With increased production of intermittent sources of electricity, such as wind or solar, intraday trading balances the Day-ahead market. A well-functioning Intraday market will also reduce the need for additional cost reserves, as electricity is able to flow within its allocated capacities around the entire market.
Currently, there are tens of different market zones in Europe, and a total of 16 NEMOs that are responsible for these market operations. A NEMO can also operate in other member states different from its original designation, thus offering its trading services as “passporting NEMO”. As an example, Nord Pool – owned by Nordic TSOs – enables participants to trade Day-ahead in 15 countries and across 21 bidding zones, and their overall trade volumes are around 500 TWh annually.
Julia Fomin (nee Vainio) works in the public sector as an Information Security Officer. Previously, she was seconded as the first Finnish Subject Matter Expert on energy security at NATO Energy Security Centre of Excellence, where she was responsible for strategic analysis on electricity and gas networks. Her alma mater is University of Turku, from where she graduated as Master of Social Sciences.
