Keeping networks safe

It was almost like the beginning of a James Bond film.

Ciaran Martin, chief executive of the National Cyber Security Centre, stood up and delivered a stark warning about the escalating threat posed by hackers.

“Russian interference, seen by the National Cyber Security Centre, has included attacks on the UK media, telecommunications and energy sectors,” he told delegates at The Times Tech Summit in November.

“That is clearly a cause for concern – Russia is seeking to undermine the international system. The prime minister made the point on Monday night – that international order as we know it is in danger of being eroded.”

Russia has repeatedly denied state hacking claims but whoever is behind various attacks, the threat appears real. Martin urged UK companies to ensure they had security measures in place.

A decent idea of what can happen to power supplies in the event of a cyber attack was given when parts of the Ukraine were hit by power cuts at the end of 2015 and 2016. Researchers in the country are said to have blamed the blackouts on criminal groups,¹ while president Petro Poroshenko has reportedly warned of a ‘cyberwar’² against the Ukraine.

Robert Pritchard, founder of consultancy The Cyber Security Expert, says power firms have a number of threats to be concerned about. “Most of these will not be targeted, or at least not targeted at disrupting power, but can still cause issues, as the recent NotPetya ransomware worm has shown,” he says.

While there is some debate whether the NotPetya attack was designed to make money or to disrupt business, there is little doubt it caused problems for many companies around the world earlier this year.³

 

Changing face of the network

A key factor in the increased cyber risk to UK power distribution firms is the changing nature of the network itself.

Development of the so-called smart grid, where sophisticated control systems are used to manage an ever-more complex supply and demand balance, means the amount of industry data in existence is growing rapidly.

The grid of the future, with its local sustainable sources, and new end markets such as electric vehicles, will require more systems to manage data than the more simplistic plant-to-home network of the past. It is these systems that could potentially be targeted by hackers.

It is not a risk that has passed the industry by. Some serious work is taking place behind closed doors to try to make sure cyber security evolves as quickly as the network itself.

“The UK’s gas and electricity networks are respected the world over for their performance and resilience, which includes providing cyber-security for what is a piece of critical national infrastructure,” says Energy Networks Association (ENA) head of public affairs Ed Gill.

“Network companies regularly review their cyber-security policies to ensure the right measures are in place to counter any potential threat, both now and in the future.”

Collaboration is seen as a critical weapon in defending the networks, and the government is helping bring the industry together to fight this battle.

“Through the Department for Business, Energy and Industrial Strategy’s Energy Emergency Executive Committee task groups and ENA’s Cyber Security Working Group, network companies have established ways of identifying, assessing and responding to long-term cyber-security threats in a cross-industry, strategic fashion,” says Gill.

“This work includes undertaking regular industry standard benchmarking, the developing of common standards for specific areas of infrastructure and ensuring that those people working for network companies and their supporting supply chain understand the role they play in managing threats.”

 

Security is key

Scottish and Southern Electricity (SSE) networks director of business assurance Bev Keogh says cyber security is now at the heart of the firm’s work.

“As the owner and operator of part of the UK’s critical national infrastructure, cyber security isn’t just an additional responsibility or a bolt-on,” she says.

SSE has invested in a long-term security programme, and is incorporating security into the design of its systems as well as conducting regular IT testing. 

“We have also looked to educate our teams about good cyber security behaviours and have a compulsory security awareness and e-learning programme,” says Keogh.

“As well as ensuring security of systems, we work in close collaboration with government and wider industry to share knowledge and help understand the increasing sophistication and prevalence of threats worldwide. It’s an issue we take very seriously.”

Pritchard says getting a grip of the scale and nature of potential threats is tricky as there is so much secrecy applied to cyber security.

“A big problem is that details are hard to come by in the public domain,” he says. “In the Ukraine there were two power cuts caused by people hacking into controlled networks, the impact was relatively shortlived and limited but they demonstrated it was possible and needs to be taken seriously.

“There is a possibility of someone trying to disrupt power supplies but a low probability of it succeeding in the UK. The attacks in Ukraine have served as a wake-up call and also the UK has been taking this seriously since the 90s.”

Pritchard, who has worked with the government and power firms in his 15 years working in this field, says a key step is separating corporate and power networks.

“Power firms need to make sure critical networks are segregated from corporate networks either completely or using well locked down gateways and access points,” he says.

“They need to put extra protections on the critical networks so if someone makes a mistake on the corporate networks it doesn’t impact the power distribution network.”

He says creating a tight IT system is the basic groundwork to protecting your power supply.

“If it’s not a well-managed IT network it is hard to secure.”

Pritchard adds that although much of the focus has been on protecting power supplies, by keeping networks locked down, a change in legislation next year could make security of the data itself very important.

The General Data Protection Regulation (GDPR) will apply from 25 May 2018. Fines for breaching the strict new laws could be as high as €20m (about £18m).

 

Advice

Keeping abreast of developments in cyber security requires experts who stay up-to-date, says Pritchard.

“It is hard to keep up with it – the threats change, new technologies come along. The defence strategies don’t change that much but you need to refresh your knowledge.”

He says there are no “magic bullets” to protect against cyber threats, but outlines a series of solid steps to take.

“Critical networks should be segregated entirely, or at least have high controlled and limit access. Corporate networks should be subject to good IT management.

“Firms should implement security monitoring in some form, and be providing awareness training to staff. In terms of standards compliance there are plenty to choose from – ISO 27001 is widespread, and Cyber Essentials is becoming popular in the UK.”

Although protecting against an attack should be the priority, there also needs to be consideration of what to do if things do go wrong.

“There is no excuse for a power company not to have planned for the worst, and they should be operating on the assumption that a successful attack is inevitable,” says Pritchard.

“The incident management process should allow for rapid analysis of any incident, and have the processes in place to isolate and recover quickly.” 

Perhaps we shouldn’t be surprised that there is much to do. Martin said in his speech that getting to grips with cyber security was the next challenge of the digital age.

“My point is before we get onto things like robots reading books on trains, we need to understand stuff like this. We need to think about attacks that do damage to individual corporations and people’s confidence in the digital economy.”

References:

1. https://tinyurl.com/zfkzoua

2. https://tinyurl.com/ya5onol4

3. https://tinyurl.com/yb9wxkl2

---

Comments

Login on register to comment

Login Register