the DN can today reveal new shortcomings in Svenska kraftnät's säkerhetsskyddsarbete. It is about the heart of the country's electricity supply – the system used to control, monitor and optimise the operation of the backbone network.
On 15 march 2017, were launched a new control system at the agency, developed by the u.s. bolagsjätten General Electric. The previous system used, the ”Hansa”, was strongly deprecated. The new technology would be safer and be able to handle the new requirements.
In connection with the start-up was the General Electric responsibility for the maintenance and further development of the system. The work has, reportedly, carried out remotely from the company's office in the small town of Melbourne in the state of Florida in the united states.
staff at General Electric for more than a year has been working with the sensitive systems, but to be have security clearance according to Swedish law. The reason should have been time pressure.
First, the 30 may 2018 signed the Swedish national grid a säkerhetsskyddsavtal, that is to say, more than a year after the system was commissioned. This is despite the fact that an authority is obliged to take out a säkerhetsskyddsavtal if a provider can come and take part of the information covered by professional secrecy with regard to national security. Without such an agreement can external staff not säkerhetsprövas according to Swedish law, with the records check by the Fbi.
is very sensitive and is classified as of importance to national security. In addition, some information about the system secret, such as how it is configured and how the security infrastructure is designed. The technology is made up of a large number of devices – the ”RTU:s” – which is deployed in the core network, for example in substations. These collect and store data that is used for alerts and analytics.
According to DN's sources, linking it to foreign staff to the system via a dial-up connection is initiated by Svenska kraftnät's own staff. Thus, they cannot themselves go out without the help from Sweden. However, when the it technicians are inside, they have access to the infrastructure. Given that General Electric has developed the system, the company's it technologies deep technical knowledge of how it works. Periodically made various updates.
Whistleblowers with transparency, says to DN that the people who have access to the system in practice could interfere with the electricity supply in parts of Sweden, at least temporarily. For example it could be done by entering malicious code into the system.
as hacked in the high-profile attacks against the power grid in Ukraine in 2015 and 2016. Then became hundreds of thousands of people in the country without electricity. These events have been used by several authorities and experts to show on the electricity network vulnerability. They have warned that similar attacks could lead to extensive damage in Sweden:
" We have also seen some denial of service attacks against various it systems, and you can also through cyber-attacks destroy things in the physical world, for example, affect the supply of electricity, said Gunnar Karlson, the head of the military intelligence and security service (Must), TT, a week ago.
General Electric has, according to DN's sources, performed some of the own checks of its staff, in common with most other technology companies. The staff, however, have not been screened, according to Swedish law, which includes a records check by the Fbi. In addition to Swedish records check Fbi even in terroristregister which are synchronized with the foreign systems via Europol and Interpol.
the Commissioning of the new control system took place more than two weeks after Ulla Sandborgh took over as director-general.
if their view of the new data. The authority confirms that the new control system was commissioned on 15 march 2017 and that the säkerhetsskyddsavtal was signed only on 30 may 2018. The press office confirms that General Electric has been working with ”third-line support and further development of the system” and that operation and management are carried out by the Swedish national grid, with its own staff.
In general is the authority restrained in their comments to the DN.
the Authority writes: ”We have established that there are deficiencies in the application of säkerhetsskyddsavtalet. We can not comment further on what those deficiencies are. It is with this background of weaknesses in the security protection which the director-general has requested the supervision of our supervisory authority, the Swedish security service”.
that in a commercial contract from 2014 is an appendix – ”appendix 6” – which regulates certain aspects of security. However, this is not säkerhetsskyddsavtal in the formal sense, and does not give the Fbi any opportunity to make registerkontroller.
the Swedish national grid is writing to all staff who have access to the system today is registerkontrollerade, but they do not want to comment on how it looked out between 15 march 2017 and 30 may 2018.
the DN has referred the following question to the Swedish national grid: ”Between march 2017 and may 2018, helped thus the engineers at General Electric in the united states you with support and further development of the system without säkerhetsskyddsavtal? That is to say that they have been able to get access to the system without to be have security clearance according to Swedish law?”.
On this question the answer of the Swedish national grid written: ”It is not appropriate that we as a government detail any deficiencies and vulnerabilities in our security.”Link to the graphics