PoC: Ransomware attacks targeting SCADA devices


As part of the information sharing during our Member Meeting in May, Applied Risk has briefed its fellow EE-ISAC members about a PoC they undertook determining that target field devices could be compromised and turned to a black-box development environment to develop and spread ransomware. They shared the implications of this vulnerability and practical countermeasures to mitigate the risk.

The information sharing resulted in a new EE-ISAC initiative: Applied Risk and Security Matters will jointly prepare a white paper to address emerging cyber threat targeting in particular the power sector.

Mission-critical control systems that don’t pose an obvious risk can be hijacked and leveraged for attacks

Cybercriminals have been increasingly relying on ransomware to make a profit by taking hostage personal and business files. Experts have also started issuing warnings regarding the possibility of ransomware attacks targeting industrial systems. Proof-of-concept (PoC) ransomware designed to target industrial control systems (ICS) was described recently by security firm CRITIFENCE and researchers at the Georgia Institute of Technology.

These attacks focused on programmable logic controllers (PLCs), which are often critical for operations and can represent a tempting and easy target for malicious actors. However, Alexandru Ariciu, an ICS security consultant at Applied Risk, disclosed another potential target on Thursday at SecurityWeek’s 2017 Singapore ICS Cyber Security Conference.

PoC: ransomware attacks targeting SCADA devices

Ariciu showed that ransomware attacks, which he has dubbed “Scythe,” can also target SCADA devices that are inconspicuous and which may be considered less risky. Applied Risk undertook a PoC determined that target field devices can be compromised and turned to a black-box development environment to develop and spread ransomware:

  1. Find target field device
  2. Infect the target device and load the ransomware
  3. Send the Ransomware Note
  4. Collect the Ransom

If you are interested to hear more, contact Jalal Bouhdada or read more:






EE-ISAC supporting cyber security analysis in the Black Sea region


Owing to a heightened awareness of cyber security resulting from the attacks suffered by Ukraine in 2015 and 2016, the United States Agency for International Development (USAID) and the United States Energy Association (USEA) have established the Utility Cyber Security Initiative (UCSI) to provide an ongoing forum and platform for cyber security analysis in the Black Sea region.


EE-ISAC was invited to participate in an interactive workshop with local grid operators, being the first of two consecutive programs launched by the Energy Technology and Governance Program (ETAG) of USAID and the United States Energy Association (USEA) under the UCSI flag. The workshop provided participants with a 360 degree perspective on:

  • policy directives,
  • regulatory frameworks,
  • technology standards,
  • utility management best practices, and the
  • emerging grid technologies

EE-ISAC committed to helping UCSI to set up an Energy ISAC for the Black Sea region and team up with this ISAC sharing experiences and blueprints for cyber security information sharing within an international, multi-disciplenary network of trust.

For more information about this cooperation, contact Johan Rambi (Board Member EE-ISAC).



Inter-substation communication: Optimal signed-encrypted R-GOOSE and R-Sampled Values on IP-Multicast networks


Future electric power systems must be able to integrate distributed energy resources such as photovoltaic solar panels and wind turbines, but also smart devices and electric vehicles. Accordingly, the level of system disturbances will increase. How to monitor and control of these disturbances in a secure way?


A wire-area monitoring, protection and control (WAMPAC) application anticipates and responds to system disturbances. A typical WAMPAC architecture uses Routed-GOOSE (R-GOOSE) and Routed-Sampled Values (R-SV). These messages are routable between substations. Normal GOOSE or SV messages are encapsulated inside an IP/UDP Multicast tunnel and defined in the technical report IEC/TR 61850-90-5. 

Digitally signaturing time-critical messages

Also the security of the R-GOOSE and R-SV messages is defined in IEC/TR 61850-90-5. This security guarantees the authentication and integrity of each message and is realized by a digital signature. These digital signatures use cryptographic algorithms, which are very time consuming. Yet, R-GOOSE and R-SV are time-critical messages: the maximum time between IEDs is 3ms. The goal of this study is to determine if it is possible to use digital signature for each R-GOOSE and R-SV message and which cryptographic algorithms can be used.

Read the white-paper, written by EE-ISAC member Jean-Roland Schuler and his colleague Patrick Favre-Perroz, both working for the University of Applied Science of Fribourg. If you are interested to hear more, please feel free to contact Jean-Roland Schuler.


Japanese & European energy communities sign partnership agreement on cyber security


16 May 2017, the Netherlands - The European Energy – Information Sharing & Analysis Centre (EE-ISAC) and the Japan Electricity Information Sharing and Analysis Center (JE-ISAC) formally established their partnership in conducting activities to ensure cyber security.


Supported by the Dutch Ministry of Economic Affairs and Dutch Embassy in Japan, mister Aurélio Blanquet (Chair of EE-ISAC) and mister Katsuyuki Abe (Secretary General of JE-ISAC) signed a Partnership Memorandum of Understanding. This will be the starting point of a close relationship between EE-ISAC and JE-ISAC in order to maintain a stable supply of energy.

The partnership will include information exchange on regulations and guidelines, good practices in cyber security provision and other cyber security related matters, and organizing networking events for building trust. Both parties respect each other’s independent activities and pay close attention to their members’ sensitive information related to cyber security.

ISACs: industry-driven, information sharing networks of trust

These activities will be in line with the shared vision of both organizations that the increased connectivity of the smart grid to the internet brings very real and new risks to the energy industry. Cyber security is no longer just a question of protecting corporate IT systems; cyber threats are now directed at (inter)national critical infrastructures, resulting in an urgent need for a collaborative approach at this level.

ISACs are industry-driven, information sharing network of trust in which both private utilities and solution providers and (semi)public institutions such as academia, governmental and non-profit organizations share valuable information on cyber security & cyber resilience. Read more...


ONE Conference & Open House Member Meeting

The signing ceremony took place during the ONE Conference organized by the National Cyber Security Centre (NCSC-NL) of the Ministry of Security and Justice of the Netherlands. NCSC-NL is a member of the EE-ISAC.

EE-ISAC will also organize an Open House Member Meeting on the 18th of May in The Hague. Regular EE-ISAC Member Meetings include trusted information sharing and are only open to members, but the afternoon programme on the18th of May will be open to utility guests by invitation. More information about EE-ISAC can be found on www.ee-isac.eu. 





Blockchain & the energy grid: what about it?


In the upcoming Member Meeting of EE-ISAC on 18 & 19 May, Wim Bouman (Strategy Consultant at Alliander) will share some of the insights and lessons learned over the past year in exploring blockchain technology.


Alliander is investigating to what extent blockchain technology can improve the accessibility, reliability and affordability of their electricity and gas grid. Next to discussing use cases relevant for utilities, mister Bouman will also touch upon (cyber) security, data protection & privacy issues related to blockchain technologies.

The 2-day EE-ISAC Member Meeting will take place in the Hague and the 18 May afternoon programme will be open to utility guests upon invitation. For more information: contact@ee-isac.eu