Cybersecurity Entry Points to the Energy Sector and Their Time-To-Compromise

Abstract

Digitalisation has increased the cybersecurity vulnerability of critical sectors. It is essential to improve and gain knowledge of these sectors to minimise the risk of successful cyber-attacks. The energy sector is a vital part of society since infrastructures, such as healthcare and transportation, rely on it. Cyber warfare targeting the energy sector can cause severe consequences. The energy system consists of many, and distributed, parts for generation, transmission, distribution and consumption of electricity. A digital energy system also consists of Advanced Metering Infrastructures (AMIs), Electric Vehicle Charging Systems (EVCSs) and other smart grid components. This makes it difficult to gain an overview of where the energy system is the most vulnerable and where cybersecurity defence measures should be prioritised. In this paper we outline the most vulnerable cybersecurity entry points to the energy systems by analysing the known vulnerabilities. We compile a dataset of vulnerabilities within the energy systems domain based on Common Vulnerabilities and Exposures (CVEs) of the Industrial Control System (ICS) advisories from the Cybersecurity and Infrastructure Security Agency (CISA) for the energy sector. Thereafter, we focus on the 2717 vulnerabilities with the attack or access vector “Network”, which indicates vulnerabilities that are exploitable via cyber-attacks. The dataset is categorised based on the type of vulnerability and the Smart energy Grid Architecture Model (SGAM) domain that it belongs to. With the dataset we are able to estimate the Time-To-Compromise (TTC) for different types of vulnerabilities and domains of the energy system. The dataset also allows for other conclusions, for instance that the most commonly found type of vulnerabilities are due to web-based weaknesses. Furthermore, the SGAM domain in which most vulnerabilities are found is the Customer Premises. TTC values are used to assess the cybersecurity of systems to make more informative decisions of where to prioritise defence measures. The values can be added to risk assessments, such as threat modelling frameworks and attack graphs to estimate which entry point an attacker is most likely to target.