An exercise reveals development needs: A cyber attack on the main grid

JYVSECTEC, operating at the JAMK University of Applied Sciences in Jyväskylä, has developed a realistic training environment where industry operators can train to prevent cyber attacks. Fingrid and Elenia piloted the training environment in the beginning of the year.

 

The highway tunnel between Helsinki and Tallinn should open in four minutes. Employees of Funnel Oy, responsible for the tunnel’s traffic control system, and Watti Oy, which operates the electricity supply, are waiting for the crucial moment in their control rooms. Final tests were carried out the previous day. Small technical flaws were observed but there was nothing alarming.

As the clock hits ten, the traffic lights on the screen change to green. The tunnel is open.

However, soon problems start to appear. According to the automation system, everything is fine, but the traffic lights in the CCT V image turn red again. Traffic comes to a stop. Twitter users speculate on the situation and the topic is actively discussed on the Helsingin Sanomat website.

 

Genuine attacks in a closed environment

A two-day cyber security exercise arranged by the Jyväskylä-based JYVSECTEC is underway. Around ten employees control the game-like exercise from the command room built on the third floor of the University of Applied Sciences. In control rooms set up in classrooms on the floor above, employees of Fingrid (Funnel) and grid company Elenia (Watti) are trying to repel cyber attacks disturbing the opening event. In addition to problems in the control system, the companies’ websites are down.

JYVSECTEC, created in 2011 as a project of the JAMK University of Applied Sciences in Jyväskylä, is a neutral research, development and training centre for cyber security. One of its main services is training. The ongoing exercise is part of the JYVSECTEC Center project launched in 2015. One of its goals is to provide industry sectors with a training environment for cyber security that is as realistic as possible. Fingrid is one of the project partners.

The exercise has been jointly prepared by Fingrid and Elenia since autumn 2016. It is meant to be as lifelike for the participants as possible.

“We continuously survey cyber threats in Finland and around the world. In our exercises, we use the same methods as criminal organisations, states and other real attackers. The control room technologies are also mainly the same as those used by companies in the industry,” says Marko Vatanen, main designer of the exercise and Chief Technology Officer at JYVSECTEC.

A successful attack can be costly

According to Fingrid’s Chief Information Officer Kari Suominen who is monitoring the exercise in the command room, the company takes cyber threats seriously. It strives to prepare for them by all possible means. Participation in JYVSECTEC’s project is one such means.

Fingrid’s most critical systems are closed and cannot be accessed via public internet. However, the worst risks entail attackers hacking into the closed systems. A successful attack into the main grid may lead to an outage that paralyses the whole of society.

“In a major disturbance, costs total a hundred million euros per hour. It’s quite a strong incentive to manage things properly,” Suominen notes.

According to Suominen, the understanding of cyber threats has increased in the energy industry in the past few years. He hopes that industry actors will become more active and prepare even better.

“Now that this kind of training environment has been set up, I hope that many people will come and train here.”

Concrete learning to take away

The time is close to noon and the exercise is coming to an end. Petri Mäkynen who was responsible for designing the exercise on Fingrid’s behalf exits the command room satisfied. Upstairs, the players have recognised the attacker and are currently removing it from the network. “The teams realised what was going on and dealt with the problems. They didn’t need much advice,” says Mäkynen.

A debriefing and feedback session is on the agenda in the afternoon.

“We review the attackers’ plans: what they were doing and what kind of technical means they used to carry out the attacks. This way, the teams get a more concrete understanding of what they can learn from the exercise,” Marko Vatanen explains.