Energy grids and ICS security: the control system is no longer separate from cyber risk

In December 2015 the first documented successful cyberattack on energy infrastructure resulted in an actual power outage. The attack on Ukrainian energy operators left approximately 230,000 customers without power for several hours. This was not a research scenario or a conference demonstration. It happened in a real operational environment.

For industrial security specialists, this was not entirely a surprise - the risks of attacks on industrial control systems have been discussed since Stuxnet was discovered in 2010. But for managers at energy and industrial companies, this should be a signal to revisit fundamental assumptions.

The assumption that no longer holds

For a long time, OT infrastructure - operational technology, industrial control systems, SCADA, process automation - was considered isolated from IT networks and from the internet by default. The "air gap" principle - physical isolation - gave a sense that external threats simply did not apply to these systems.

That assumption is outdated. The isolation eroded gradually, for good practical reasons: remote maintenance, real-time monitoring, integration with enterprise planning systems. Each connection was created for an operational necessity. Together, they created an attack surface where none was supposed to exist.

What makes ICS more vulnerable than IT systems

Industrial control systems were built with different priorities. Reliability and continuity of operation come first. Security in the cyber sense was historically not part of that equation.

This shows up in specific vulnerabilities. Communication protocols between components often have no authentication - they were designed in an era when physical isolation was considered sufficient protection. Software updates are difficult and risky - equipment downtime for updates is unacceptable in continuous production processes. Equipment lifecycles are long - systems operate for 15 to 25 years, and vendor support for security vulnerabilities on older hardware is often unavailable.

Add to this that OT specialists and IT security specialists have historically worked in different worlds, spoken different languages, and solved different problems.

What December 2015 changed

The attack on the Ukrainian power grid showed several things that can no longer be ignored.

First, the attackers studied the victim's infrastructure in advance - access to the systems was gained months before the attack, through phishing employees on the corporate network. OT isolation did not protect, because the path ran through IT.

Second, the attack was coordinated and multi-layered. Simultaneously with disabling the equipment, the technical support centre was attacked - to hinder recovery.

Third, the attackers used legitimate management tools - the same ones operators used. This made detection harder.

What this means for a manager

First - a rethinking of the isolation assumption. If your OT infrastructure is connected to the corporate network at even one point, it is not isolated. An honest inventory of all connection points is needed.

Second - OT security cannot remain solely the responsibility of the chief engineer or the automation manager. The December 2015 attack came through the corporate IT network. That is the intersection of two zones of responsibility, and if there is no coordination between them, the gap is where the risk lives.

Third - an incident response plan for the OT environment. What happens if a control system is compromised? Is there a manual operating mode? How quickly can it be activated? Who makes the decision?

Practical questions for a review

1. Is there a complete map of all connection points between OT networks and corporate IT networks and the internet?
2. Are the same security standards applied to these connection points as to the corporate network perimeter?
3. Who in the company is responsible for security at the intersection of OT and IT?
4. Is there a manual operating plan for critical processes when automated systems are unavailable?

ICS cybersecurity is no longer a topic only for specialised conferences. It is an operational risk that belongs in management's field of view.