Seeking to secure the Sultanate’s power infrastructure from cyber attacks, the Authority for Electricity Regulation Oman (AER) is preparing to test whether the sector’s critical control systems meet the robust standards for cyber security set for the industry.
The cyber security audit, which will be undertaken by a qualified international consultant, comes against an alarming uptick in cyber attacks on the power grids of some countries in Asia and North America, in addition to a proliferation of threats from criminal gangs and malicious actors.
The audit will focus primarily on Industrial Control Systems (ICS) which are used across the electricity infrastructure, but are known to be prone to cyber threats. Industrial Control Systems are types of instrumentation used to electronically manage tasks efficiently. They are used in all types of critical infrastructure, including manufacturing, energy, transportation and water treatment. In the power sector, the most common industrial control systems are: Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS).
“The increasing usage of Industrial Control Systems (ICS) in electricity critical infrastructures has resulted in unforeseen cyber security threats to Supervisory Control And Data Acquisition (SCADA) and Distributed Control Systems (DCSs) that may cause severe interruptions and threaten the security of supply,” said the Authority in a backgrounder on its cyber-security audit.
Cyber-security standards for SCADA and DCS systems were issued by the regulator in August 2015 for generation, transmission and distribution activities. The selected consultant will review whether generation, transmission and distribution entities in the Sultanate comply with these standards.
Significantly, all 18 companies licensed to provide electricity generation, transmission and distribution activities in the Sultanate will be subject to the comprehensive audit. The exercise will be undertaken in two phases. Included in the first phase are six power plants and four distribution companies, as well as the Oman Electricity Transmission Company (OETC) and the Rural Areas Electricity Company. The remaining licensees (production facilities) will be covered in the second segment, according to the regulator.
“The overriding objective of this assignment is to ensure ownership and compliance of licensees to the requirements of SCADA & DCS Cyber security standard issued by the Authority and to review the validity of the current standard and comment on any update required,” the Authority said.
As part of its remit, the consultant will undertake a critical assessment of the compliance of the licensees with the existing SCADA & DCS Cyber Security standard. The consultant will also advise on the validity and adequacy of the current standard and recommend any modifications or improvements if required.
A contract award is likely before November this year, according to the year.
Experts have warned of an upsurge in cyber attacks targeting Industrial Control Systems around the world over the past few years. In 2015, a Ukrainian power company suffered an outage reportedly cause by a malware attack dubbed BlackEnergy. The following year, the United States charged seven foreigners for coordinating a cyber attack against a dam in New York. In Europe, an unidentified energy firm said it had been the target of a sophisticated malware named SFG.
Ransomware attacks targeting Industrial Control Systems have also been on the rise as well. Because Industrial Control Systems are activated via the Internet of Things (IoT), they are more vulnerable to attack by hackers, it is pointed out.