Utilities must act now and prioritise action to prevent potential security breaches and ensure security of supply, writes Jon Longstaff, head of Cyber Security (EMEA) at OMNETRIC Group.
The Directive on Security of Network and Information Systems (NIS Directive), which aims to create a common level of network and information systems security within the EU, was first adopted by the European Parliament's plenary last year. Representing the first EU-wide rules on cybersecurity for the energy, transport and water sectors, the Directive has important implications for utilities and, more specifically, those managing the electrical grid.
"A utility cannot simply shut down or isolate its systems during or following a breach...In the event of an attack, the primary concern for utilities is almost always ‘is the system still running and can we manage the breach without interrupting supply?".
Despite the UK leaving the European Union, we think it is highly likely that the NIS Directive will be incorporated into UK law, which would follow the approach taken with GDPR. Besides, whatever your stance on European politics, the Directive presents changes in behaviour that are worth fostering. Given the government's creation of the new National Cyber Security Centre (NCSC), the principles of NIS align with their stated position of protecting critical national infrastructure.
A key part of the Directive mandates specific incident warnings and reporting obligations by companies. When the NIS Directive becomes law, which is expected to happen in 2018, utilities will have to share details of certain security breaches and incidents under new criteria and will no longer be free to selectively report to regulators.
While it might not have felt like a priority to date, there is little time left until the mandate comes into force. It's crucial that utilities act now to prioritise action, proactively knowledge-share across the industry and hire the right talent to ensure they are ready for the challenges - and opportunities - ahead.
Moving Cybersecurity to the top of the agenda
The ability for utilities to provide a reliable power supply is fundamental. Cyber attacks on utilities, especially those that threaten the performance of the grid, can have very damaging effects for a region or country. For example, the 2015 incident in Ukraine - the first cyber attack of its kind to cause a mass power outage - cut the lights to 225,000 homes in the western part of the country. There is also evidence that this was followed up by a repeat attack in late 2016.
Yet, despite the quite literally gloomy consequences of cyber attacks, it seems that many utilities are not yet prepared. A report by EY found that only 11% of utilities surveyed agreed their current information security measures adequately met their organisation's needs. A concerning 60% stated that they were running no or, at best, informal threat assessments. Only 15% of those senior management staff responsible for cyber security had direct reporting lines to their board.
With the very real threat of widespread disruption in the wake of a cyber attack, and more legislation as a result, organisations must ensure that security teams have direct access to decision makers. That access is both about prevention and protection, as well ensuring the mobilisation and focus of the right people in times of crisis.
Sharing what we know
Cyber attacks on any critical infrastructure will typically make for events shrouded in mystery, with breaches - either successful or attempted - often going unreported. This seriously limits the opportunity to share lessons learned. Moreover, this industry-wide behaviour makes utilities even more vulnerable to attackers.
The NIS Directive will enforce best practice information and ‘lessons learnt' sharing. That does not mean, however, that utilities need, or should, wait to start sharing; quite the contrary. Time is of the essence, and utilities should look to develop collaboration groups drawing on partners, government teams, community networks and industry vendors to elicit lessons and share ideas.
Some such groups do exist and we need to do all we can to encourage them. As an industry, we also need to be particularly mindful of sharing information across the breadth of the supply chain, working with those teams that operate in collaboration with utilities.
By sharing different cyber prevention strategies and challenges, utilities stand a better chance of limiting the impact of hackers. In our experience, this is an opportunity worth purusing.
Investing in the right talent
Defending the utility grid needs the right technology, processes and, above all, people. The additional driver of NIS will only make the difficult task of recruiting harder, as utilities seek staff who understand how they work and how they are different from many other industries.
A utility cannot simply shut down or isolate its systems during or following a breach in the same way that other organisations would do. In the event of an attack, the primary concern for utilities is almost always ‘is the system still running and can we manage the breach without interrupting supply?'.
As a result, utilities should not just hire defenders. We see a need to bring a number of talent to the fore, including IT experts and engineers but, above all, security experts with utility backgrounds. These professionals understand operations related to running the grid, as well as the complex underlying systems.
The NIS Directive has the potential to go a long way in counteracting the rising risk of cyber based disruption to the grid and minimising its impact. But the industry will need to move swiftly to shift mindsets and change practices if the mandate is to be effective. Attackers are frighteningly agile and, as potential targets, we need to be as well.