Keeping Cyber-Attacks at Bay in Biomass Power Plants

Cyber-attacks and ransomware are a threat to energy assets, but there are tools to protect plants against loss of data, time and money.
By Sam Miorelli | July 29, 2021

Whether they were built 50 years ago or fired up in the past decade, the majority of U.S.-based biomass and bioenergy power plants operate by the same fundamental principle: They burn biomass waste fuel to generate high-pressure steam, which in turn drives a turbine to create electricity and heat.  

What has changed, however, is the widespread adoption of digital technologies that leverage artificial intelligence (AI) and the Industrial Internet of Things (IIoT) to drive greater operating efficiencies, higher reliability and lower maintenance costs.

At the same time, this increased reliance on digital advances to improve the reliability and predictability of power plant operations brings with it the threat of cyber-attacks. While the general public might think of cyber-attacks in the context of the information technology (IT) space solely in terms of identity theft or a virus on their home computer, cyber-attacks on physical operating technology (OT) systems represent a real—and growing—threat to the reliability and core business of the energy industry.

Cyber-Attacks: Expensive Business Disruptions
Real-world examples of OT-centric cyber-attacks are becoming increasingly common. In May 2021, Colonial Pipeline suffered a double ransomware attack where approximately 100 GB of internal data was stolen and significant portions of its IT systems encrypted, as reported by the Wall Street Journal on May 19. In hearing testimony, Joseph Blount, CEO of Colonial Pipeline, told the U.S. Senate Committee on Homeland Security & Government Affairs that Colonial Pipeline’s concern was that the attack could spread to its OT network, which led it to shut down 5,500 miles of pipeline about an hour after the attack was first discovered.

Colonial Pipeline carries approximately 45% of the U.S. East Coast’s fuel supplies. Consumer demand for gasoline surged, putting pressure on gasoline stations across the eastern U.S. At that point, Blount decided to pay the almost 75 bitcoin ransom, worth about $4.4 million at the time, according to the WSJ.

In another example from January 2021, Atlanta-based paper and packaging company WestRock reported being hit with a ransomware attack that impacted its OT and IT systems. While the company’s security teams—with the cooperation of leading cybersecurity firms—started working immediately to remediate the incident, Westrock released a situation update reporting it had experienced an 85,000-ton shortfall in its mill system production just a week and a half later.
Attacks such as these are becoming more common as power plants incorporate further automation advances. For example, many plants now include a distributed control system (DCS) that uses AI and the IIoT to automatically operate plant processes, requiring far less human interaction and fewer people on site. Such systems go beyond earlier automation technologies that merely transmit data and signals between the equipment and the operator to now include enhanced reporting functions, advanced diagnostics and intuitive process control.

While these systems are powerful tools for collecting relevant data, monitoring and controlling critical plant functions, and giving operators direct access to essential operations, they also create a larger connected surface through which threat actors can execute attacks.

AI-driven Cyber Defense
Siemens Energy has a long and successful history as an equipment manufacturer and service provider throughout the energy supply chain. The company’s expertise in the cybersecurity business comes from its legacy as an integral operator and solutions provider of energy technologies that leverage digitalization and intelligent infrastructure. To solve the problem of creating a modern, industrial-grade endpoint protection solution for the energy sector, Siemens Energy partnered with SparkCognition, a leading artificial intelligence company with deep experience in cybersecurity.

Together, they developed the trademarked DeepArmor Industrial, fortified by Siemens Energy. This is an endpoint protection solution designed to protect the energy industry’s operational technology by leveraging artificial intelligence to monitor, detect and prevent cyberattacks. SparkCognition specifically designed DeepArmor Industrial to help operators defend their current and future critical infrastructure from escalating cyber-attacks that target OT. This cybersecurity platform incorporates AI and machine learning to protect endpoint assets in the plant by recognizing and reporting new devices or behavior changes that characterize cyber threats.

DeepArmor Industrial’s predictive analysis capabilities prevent malicious code from executing—independent of threat intelligence and without the need for signature updates. This makes it an ideal solution for operators with distributed or disconnected assets. The platform also identifies, reports and proactively blocks system changes that could characterize a digital-physical attack, either mitigating the threat or making it easier for the plant’s operations crew to diagnose and resolve.

The chances of a biomass power plant falling prey to a cyber-attack increase substantially during an outage. Outages are ideal times to install necessary updates and new security patches to a plant’s OT systems. Unfortunately, during these times, it is not uncommon for antimalware protections and other network security functions to be disabled, opening the door to new cyber threats.

But with this platform installed, operators have a way to always keep a pulse on the plant’s cybersecurity, even when other functions are offline. The platform achieves this level of protection thanks to its machine-learning functionality. It is initially placed in observer mode as it learns the processes. Once the plant operator and Siemens Energy’s engineering team are convinced that the platform understands the difference between routine operations and a cyber threat, it is taken out of observer mode to track and control normal operations, without the risk of shutting down a critical component of the plant’s operations.

During an outage, the platform is easily placed back into observer mode, where it continues to track and report nonroutine events or potential cyber threats, but without the ability to intervene and prevent the perceived threat from entering the system. This is particularly important when a legitimate software upgrade from a vendor might be mistaken as malware simply because the upgrade is new or unfamiliar to the platform. Rather than delaying the upgrade, the platform records and reports the event to the operations team, who can investigate the situation further.

Because it is endpoint-based, the platform identifies the specific computer or system where the issue was detected. As a result, the operations team can quickly go to that location, confirm the threat, and resolve the situation before the threat spreads to other systems or becomes a more severe issue. And with DeepArmor Industrial always watching, a plant operator can be confident that their system restarts will not leave them vulnerable to a nascent cyber-attack.

The platform does not require every machine it is tracking to be running on the same version of the OS, or even a current OS; it can be deployed as far back as Windows 2000. As a result, the operator can quickly identify and review potential threats from multiple systems without piecing together and converting data from machines running different versions of the OS.

Delaying Patching Outages  
A system patch installed on a Monday may be ineffective by Friday against any new attacks that emerged on Tuesday through Thursday. As a result, a power plant’s IT department might recommend conducting small outages to install patches on a more frequent basis. However, this frequency is not cost-effective and likely does not line up with the plant’s business model.

The platform’s built-in, machine-learning engine uses advanced classification algorithms to predict and prevent zero-day attacks on the endpoint without frequent updates or cloud access. While not a replacement for patching, the platform serves as a bridge to the plant’s next reasonable opportunity to perform a patching outage. The platform’s real-time, continuous tracking of threats gives the operations team confidence to delay an outage on a critical piece of equipment by a few weeks or months, extending operations without putting plant systems at risk.

New Era of Cyberspace Protection
Today’s energy landscape requires biomass plants to operate with the highest reliability and flexibility to remain competitive—without the risk of unexpected and time-consuming outages due to a cyber-attack. With its AI and machine learning capabilities, DeepArmor Industrial, fortified by Siemens Energy, provides day-to-day protections from external threats like zero-day attacks and internal threats from an unexpected USB key—ensuring greater efficiency and uptime for the entire plant.

And as cyber threats increase in their sophistication and frequency, the need for plant operators to leverage a robust, adaptable cybersecurity solution that protects their OT and IT systems will only continue to become even more critical.

Author: Sam Miorelli
Global Head, Cybersecurity for Industrial Applications Siemens Energy Inc.
[email protected]