*by Lucas Pereira
In recent years, the energy sector has faced increasing challenges when it comes to cybersecurity. The increasing reliance on technology to control and monitor the energy sector's critical infrastructure has become an attractive target for cybercriminals and malicious hackers. In Brazil, the National Electric Energy Agency (ANEEL) recognized this threat by publishing Normative Resolution No. 964, which establishes guidelines for the sector's cybersecurity and represents a fundamental step in protecting the country's electrical infrastructure.
Recently, in August this year, a widespread blackout affected several regions of the country and caused power outages in more than ten states. The initially associated cause was an 'overload' on a transmission line in Ceará. However, the Minister of Mines and Energy, Alexandre Silveira, requested investigations by the Federal Police and the Brazilian Intelligence Agency (ABIN) to determine whether there was human error in the blackout or even the possibility of criminal action.
Lately, hackers' creativity has shown itself to be limitless. They invade systems and install, for example, ransomware, a type of malware that encrypts data and demands a ransom in cryptocurrencies to restore access. Many companies and public bodies in the energy sector in Brazil have already been targets of these attacks. Although they did not interrupt the power supply, they compromised the security of the systems and could cause sensitive information to leak. Therefore, we can say that the threat of cyber attacks in the electricity sector is a reality and we cannot ignore the risks.
The most critical attack surfaces that can significantly harm the operation of energy infrastructures involve, in particular, the Supervision and Data Acquisition System (SCADA) and Intelligent Electronic Devices (IEDs). They play an essential role in the automation of facilities and an invasion that compromises these systems can obstruct maneuvers and operations crucial to the proper functioning of the infrastructure.
A critical example of an invasion of the Supervision and Data Acquisition System (SCADA) occurred in 2010, when a virus called Stuxnet interfered with the operation of uranium enrichment centrifuges controlled by a Programmable Logic Controller (PLC), one of the devices digital technologies most used in industry, including in nuclear power plants. This incident, which caused real physical damage to critical infrastructure, highlights the reality and sophistication of cyber threats in the contemporary era. The growth in the use of malware like this reinforces the need for robust cyber defenses in an increasingly interconnected world.
Sophisticated attacks like these make it possible for cybercriminals to take control of power substations, for example. In this way, energy companies may have problems and limitations in controlling their own structures, since criminals will be able to encrypt information to demand ransom payment to return access, in addition to effectively manipulating the use of important systems. In addition to high business losses, the impacts on people's daily lives can be immense when something like this happens.
Fortunately, many companies in the Brazilian electricity sector are moving in the right direction. They are starting to better study their vulnerabilities to adopt cybersecurity measures to comply with Aneel's Normative Resolution 964. Among the actions, use of modern protection systems and consultancy from digital security experts are among the most strategic and assertive activities for protecting environments.
The numbers are an important reference to accelerate this preparation journey. In 2022, around 70% of companies in Brazil were the target of cyber attacks with data hijacking. Ransomware attacks have increased considerably compared to the previous year, being the preferred method of many hackers seeking quick payment of millionaire sums for the return of data hijacked with the help of encryption. In other words, recovery costs a fortune, not to mention other risks involved in situations like this.
It is crucial to understand that security must be treated as an integral part of companies' risk management and this should not be an exclusive responsibility of the IT department. All areas and employees have a certain degree of responsibility and must be careful to avoid clicking on unknown links.
Another important aspect is to consider that cybersecurity must be studied on all fronts, starting with the careful selection of suppliers and including the hiring of advanced tools and support solutions for digital protection.
Recent incidents and evolving cyber threats make it clear that the energy sector's critical infrastructure needs to be protected to mitigate risks. Therefore, it is essential that companies invest in cybersecurity measures to improve their protection barriers. The basis for all the activities we carry out, from the simplest in our homes, to the production of goods and services in the business world, we need to ensure that the infrastructure of this fundamental input for society is effectively safe. Aneel's Normative Resolution 964 is a step in the right direction, but continued collaboration and commitment from everyone are essential to guarantee a reliable and safe energy supply for everyone.
*Lucas Pereira, Chief Technology Officer (CTO) at Blockbit
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
