Dealing with the digital enemy: the rise of cybercrime

If energy networks aren’t concerned about the threat of terrorism via cyber attack, they should be. This was the blunt message from General Keith Alexander, former first commander of United States cyber command and former director of the National Security Agency, as he spoke to delegates at Accenture’s international utilities and energy conference earlier this year.

Energy networks provide a country’s lifeblood and are a prime target for individuals or, more worryingly, organisations, looking to bring a country to its knees.

This is no idle threat. Attacks on national infrastructure have happened, and are continuing. It’s popular to use the blackout across Ukraine late last year as an example, but other instances where essential networks have been infiltrated and immobilised by hackers are not hard to find. Estonia’s digital network was paralysed by an army of botnet “zombies” in 2007 which relentlessly bombarded sites with page views until the entire system crashed. In the years since, attackers have evolved fast, exploiting new and hard to predict points of vulnerability in organisations, governments and infrastructure.

The potential for an attack on UK infrastructure is real and alarming. In November last year chancellor George Osborne admitted that the Islamic extremists of Isis considered National Grid a target. “They do not yet have that capability. But we know they want it, and are doing their best to build it,” he said.

Going digital

Against this backdrop, energy networks are slowly transitioning into the digital era, connecting their assets to online networks and exploiting remote monitoring to improve the performance of the system. As they do this, so the number of opportunities for infiltration by the unscrupulous increases. Networks are keen to respond to this growing risk but are hindered because regulatory requirements for cybersecurity are lacking and the logical step of looking to other sectors for workable standards and best practice is linked to fear of reputational damage.

Energy networks were never designed to be modern cyber fortresses, and many parts were not even designed to go digital. This leaves information and security leaders in energy networks in a precarious situation. Paul Jenkinson, IT security and technical architecture manager at UK Power Networks told delegates at Utility Week Live last month that he’s sure CIOs in the sector suffer sleepless nights.

If network companies weren’t aware of their potential vulnerability, last year’s attack on Ukraine should have been a wake-up call. A December power outage took 225,000 customers offline as a result of a Russian hacking group known as Sandworm. How did they infiltrate a country’s entire power grid? Three simple emails over a period of six months.

 

When the route to getting past an organisation’s defences is so mundane, education is key, says Andrew Barrett, head of utilities at Palo Alto Networks, a security technology company. Every employee must be informed about the risks of opening emails and taking USB sticks home, and be aware of the potential consequences of such actions, especially in the light of ever more sophisticated malware-loaded email attacks.

These systems now have the ability to specifically tailor an email to the receiver by trawling through an inbox and learning what language is most likely to get person to click on an infected link – what do they like? What are their hobbies? Attacking a company through digital avenues such as this is relatively cheap. Defending against them is not.

Adopting standards

They key to avoiding the worst consequences of a cyber attack is knowing how to defend yourself, and this involves putting robust standards for system operation in place across operation technology and IT platforms.

Ofgem offers little guidance today as to what is considered either essential or best security practice for energy networks, and in this vacuum Jenkinson says UKPN looks for non-sector-specific IT standards to adopt.

This can only be a smart move. Compared with other sectors, utilities are relatively late to the digitisation game and there is much they can learn from sectors that have already discovered the weaknesses this process can expose.

Sadly, learning from others is not always straightforward, because fear of reputational damage often means that cyber attacks on firms go unreported. The attack on telecoms company TalkTalk demonstrates why this is the case. Only 4% of the company’s four million customers were affected, and none of those customers lost any money. But as a result of its handling of the event, the company lost 101,000 customers and suffered costs totalling £60 million.

Jenkinson believes there is a role for better regulation in defending against cybercrime, but he cautions against a prescriptive approach which would lead to “tick-box” security. Jenkinson also said the Network Innovation Alliance (NIA) should be used more widely to fund cybersecurity innovation alongside other operations such as asset maintenance and data analytics.

Some networks are already doing this. National Grid Electricity Transmission launched two projects in January this year. The first is designed to improve the cybersecurity culture in operational areas.

The second will define a framework to reduce cyber risk by procuring intelligent assets. National Grid says that because there is a lack of awareness when purchasing, upgrading and deploying IT and operational technology assets, vulnerabilities and malware are introduced. Both projects are due to take four years.

Beyond using NIA funds, National Grid has also invested heavily in its data centres in order to strengthen its defences. National Grid Gas Transmission is forecast to overspend the totex allowance for its system operator role by £177.5 million by 2021 because of increased spending in this area. It was awarded over £35 million to upgrade existing data centres, but decided that new ones would be more resilient. It is currently consulting with the Department of Energy and Climate Change (Decc) to determine the kind of cybersecurity that will be necessary for these centres.

Crippled by fear

Faced with such dire consequences from a cyber attack, it would be easy for energy networks to simply batten down the hatches. But a lockdown on data sharing with innovative SMEs and other networks would be damaging to innovation and the evolution of smart, sustainable grids, which we sorely need to accelerate.

Jenkinson is confident that gas and power networks will not become paralysed by fear. But Casey Cole, managing director of smart heat metering company Guru Systems, is less optimistic. Lack of expertise and a common view that data sharing may give away potential commercial advantage, as well as exposing a company to potential legal and security challenges, have led to a protectionist data culture in the young UK heat sector, he says.

Such concerns are unsurprising. Firms face a £500,000 fine under the Data Protection Act if data is mishandled, but Cole insists data sharing is the only way the heat sector will mature.

Adopting common standards like ISO 27001 and Cyber Essentials can help companies overcome cyber paranoia, but standards are not always helpful. Network operators have been bombarded over the past few years with a plethora of new security standards covering the smart grid, such as EU Smart Grid Information Security and NIST IR 7628. To help provide a definitive source, PA Consulting has worked with the Energy Networks Association to provide utility organisations with clear direction about what the standards are and where to find them. The ENA will publish its report next month.

If networks feel underprepared for the challenges they face, they can take comfort from the fact that others who should feel like an iron fortress are in the same boat. Even General Alexander did not manage to keep all the attackers out. All he could do was limit the damage once a criminal was in, learn from it, and try and make his system slightly more difficult to breach next time.

---

Comments

Login on register to comment

Login Register