Possibilities and Limitations of Cyber Threat Intelligence in Energy Systems

Abstract

The national energy system is the most critical of the critical infrastructures, and one which has become surprisingly vulnerable to cyberattacks in the last couple of years. Both unexpected technical design flaws and targeted attacks carried out by state-sponsored actors have raised challenges for the operators of essential services. Although this infrastructure is the subject of many regulations, and national security agencies pay special attention to such critical information infrastructures, gathering cyber threat intelligence is not straightforward for several reasons. First, special protocols in industrial control systems and operational technology (ICS/ OT) systems are difficult to monitor. Second, information sharing does not really work, neither between states nor domestically. Third, due to the lack of thorough technical recommendations, there is no common understanding between responsible authorities and critical information infrastructure operators. In Hungary, key stakeholders of the national electricity system have realized that although some local and European legislation deals with the question of the cybersecurity of critical information infrastructure, many open questions remain in practice, both from policy and technology perspectives. In 2018, Hungarian manufacturers, energy service providers and responsible authorities started a discussion on what should be improved in legislation and technology, as well as in information sharing and how. This paper aims to describe the framework of this collaboration for information sharing and the initial results. Specifically, we present the current technical capabilities for gathering cyber threat intelligence in ICS/OT systems and propose some legislative actions that could support further technical solutions that are feasible in these special systems. We also present Tactics, Techniques, and Procedures (TTPs) and the goals of threat actors in energy systems that can be seen from the current data sets of our honeypots. Moreover, we will also make some recommendations as to how the national and EU-wide legislation should be built up and what kinds of actions should be required from the key players in compliance with the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).