As Taipower Modernizes, Cybersecurity Threats Loom

After several high-profile blackouts raised concerns about Taiwan’s grid stability, Taiwan Power Company (Taipower) in September last year announced it would invest TW$564.5 billion (US$18 billion) in the grid over the next decade. Investments will focus on resilience, decentralization, modernization, and strengthening of the electricity system.

The expansion of smart devices, such as smart grids and meters, is expected to enhance resilience and improve distribution. Smart grids can save energy by allowing electricity to be aggregated and distributed more efficiently. They can also help with “demand response,” which is the process of shifting electricity demand from peak to off-peak hours. In the event of a central systemic failure, smart grids would strengthen Taiwan’s grid by allowing regional grids to operate. Meanwhile, smart meters can provide more accurate real-time data than traditional meters.

But the increasing use of interconnected digital technologies and Internet of Things (IoT) devices is making the power sector increasingly vulnerable to cyberattacks. Smart devices create additional weak spots in the progressively complex digital infrastructure of modern power networks due to the large number of devices used, wide distribution, and the remote location of grids.

Global management consulting firm McKinsey warns that the electric-power and gas industries’ unique interdependence between physical and cyber infrastructure makes power companies vulnerable to exploitation, including billing fraud, hacking of operational-technology (OT) systems to stop wind turbines and even physical destruction.

But threats to infrastructure come not only from individual hackers looking to earn money but also from hostile governmental actors. A January 2020 alert from the U.S. Department of Homeland Security warned that critical infrastructure providers should beware of nation states “capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure” as a deterrent or retaliatory measure for geopolitical developments.

Years before the Russo-Ukrainian war sparked a surge in LNG prices, it gave an early warning to countries about the cyber threats that loom over critical infrastructure. In 2015, a cyberattack orchestrated by Russian hackers caused power outages in two western oblasts of Ukraine, leaving over 230,000 customers without power for up to six hours.

The eight years since that event have seen several high-profile infrastructure hacks that have raised cause for greater concern, such as the 2017 WannaCry ransomware attack that affected power companies in several countries, including Taipower’s Dalin Power Plant in Kaohsiung. Around 700 computers involved in the Dalin plant’s administrative system were affected by the attack. Fortunately, the generator-controlling computers were running independently and were not affected by the malware.

As one of Taiwan’s most prominent cyberattack targets, Taipower has reason to invest heavily in cybersecurity. The company reports being exposed to cyberattacks daily, often to a larger extent during times of heightened cross-Strait tension. Following then U.S. Speaker of the House Nancy Pelosi’s Taiwan visit last year, Taipower was reported to have experienced 4.9 million unsuccessful cyberattacks in one single day.

In 2018, the Executive Yuan responded to heightened cybersecurity threats by enacting the Cyber Security Management Act, which requires participants of critical national infrastructure to submit a cybersecurity maintenance plan and pass information security standard verifications. In addition to complying with these requirements, Taipower has established an Information Sharing and Analysis Center (ISAC) to exchange intelligence with the government’s energy ISAC platform and enable joint defense responses. It has also developed a detailed Smart Grid Security Deployment Plan based on international cybersecurity documents.

J. Michael Cole, a senior non-resident fellow at the Global Taiwan Institute, in a 2021 report argued that although Tai-power’s cybersecurity plan is comprehensive, Taiwan’s cybersecurity planning lacks a culture of accountability in both its public and private sectors. According to Cole, this has resulted in “cybersecurity flaws being concealed or merely reported as ‘system abnormalities.’” Thus, he argues, despite the progress that has been made in Taiwan’s preparedness to respond to potential cyberattacks against the private and public sector, greater effort must be made to ensure accountability and transparency, and to plug blind spots that are sure to be exploited by a hostile foreign force like China.

Although Cole notes that “some initiatives, such as a joint information security MOU signed between Taipower and the Ministry of Justice Investigation Bureau…to strengthen information security and ensure the security and reliability of the power supply in Taiwan, are steps in the right direction,” he adds that “more needs to be done.” Ransomware attacks by private or patriotic hackers, as well as the disablement of key infrastructure, are two areas of Taiwan’s defense preparedness that he believes warrant additional investment.

Chief Commercial Officer (Power Generation, Oil & Gas) – Asia Pacific, General Electric (GE) Digital Giresh Prabhat suggests governments work closely with critical infrastructure operators to identify and address cybersecurity risks.

“This can involve sharing threat intelligence, conducting joint exercises to test incident response plans, and providing technical assistance to improve cybersecurity capabilities,” says Prabhat. “Meanwhile, governments can promote information sharing between critical infrastructure operators and government agencies, as well as with other stakeholders such as cybersecurity vendors and researchers. This can help to identify emerging threats and vulnerabilities and improve incident response capabilities.”

For security teams in infrastructure companies, a range of security mechanisms need to be implemented, but that’s only the beginning, Prabhat notes. Threats, and the mechanisms needed to guard against them, evolve rapidly. Therefore, systems need to be tuned, monitored, and managed continuously.

“The reality is that implementing general purpose security platforms in OT environments can break business-critical plant operations,” says Prabhat. “As a result, even basic security tasks – including managing inventory and identities, collecting, and reviewing logs, and updating passwords – don’t happen fast enough or at all. Often, it’s these fundamental tasks being missed that ultimately prove costly, leaving the business exposed to devastating cyberattacks.”