How will the UK’s critical infrastructure deal with the new and growing threat of cybercrime?
If energy networks aren’t concerned about the threat of terrorism via cyber attack, they should be. This was the blunt message from General Keith Alexander, former first commander of United States cyber command and former director of the National Security Agency, as he spoke to delegates at Accenture’s international utilities and energy conference earlier this year.
Energy networks provide a country’s lifeblood and are a prime target for individuals or, more worryingly, organisations, looking to bring a country to its knees.
This is no idle threat. Attacks on national infrastructure have happened, and are continuing. It’s popular to use the blackout across Ukraine late last year as an example, but other instances where essential networks have been infiltrated and immobilised by hackers are not hard to find. Estonia’s digital network was paralysed by an army of botnet “zombies” in 2007 which relentlessly bombarded sites with page views until the entire system crashed. In the years since, attackers have evolved fast, exploiting new and hard to predict points of vulnerability in organisations, governments and infrastructure.
The potential for an attack on UK infrastructure is real and alarming. In November last year chancellor George Osborne admitted that the Islamic extremists of Isis considered National Grid a target. “They do not yet have that capability. But we know they want it, and are doing their best to build it,” he said.
Against this backdrop, energy networks are slowly transitioning into the digital era, connecting their assets to online networks and exploiting remote monitoring to improve the performance of the system. As they do this, so the number of opportunities for infiltration by the unscrupulous increases. Networks are keen to respond to this growing risk but are hindered because regulatory requirements for cybersecurity are lacking and the logical step of looking to other sectors for workable standards and best practice is linked to fear of reputational damage.
Energy networks were never designed to be modern cyber fortresses, and many parts were not even designed to go digital. This leaves information and security leaders in energy networks in a precarious situation. Paul Jenkinson, IT security and technical architecture manager at UK Power Networks told delegates at Utility Week Live last month that he’s sure CIOs in the sector suffer sleepless nights.
If network companies weren’t aware of their potential vulnerability, last year’s attack on Ukraine should have been a wake-up call. A December power outage took 225,000 customers offline as a result of a Russian hacking group known as Sandworm. How did they infiltrate a country’s entire power grid? Three simple emails over a period of six months.
When the route to getting past an organisation’s defences is so mundane, education is key, says Andrew Barrett, head of utilities at Palo Alto Networks, a security technology company. Every employee must be informed about the risks of opening emails and taking USB sticks home, and be aware of the potential consequences of such actions, especially in the light of ever more sophisticated malware-loaded email attacks.
These systems now have the ability to specifically tailor an email to the receiver by trawling through an inbox and learning what language is most likely to get person to click on an infected link – what do they like? What are their hobbies? Attacking a company through digital avenues such as this is relatively cheap. Defending against them is not.