The recent stand-off between the US and Iran raised fears that the UK grid could be targeted by state-sponsored hackers. Network asked Professor Roger Kemp and Ahmed Kotb at the Institution of Engineering and Technology about the risks.
What's the potential worst-case scenario for a state-sponsored cyber-attack on our electricity networks?
Professor Roger Kemp, IET's Energy Policy Panel: The worst-case scenario has to be a complete shut-down of the GB network, requiring a black-start to restore power, which takes four days or so. This is unlikely to happen but it is possible."
In your view, how well are the electricity networks prepared for a cyber-attack?
The impression is that the traditional network is fairly robust - mainly because it uses a lot of special purpose SCADA (Supervisory Control And Data Acquisition) systems that are isolated from the Internet and that use coding structures very different to the computer systems with which hackers are probably familiar. I am less certain, however, about newer systems, such as the smart meter system, which has many more access points and uses communication protocols closer to those in other sectors.
Networks now have more distributed generation and battery storage connected, presumably adding to cyber vulnerability?
What matters to grid stability is the total generating capacity that could be shed or reconnected in one event. During the August power outage, as quoted in the Ofgem report, the "cumulative loss of 1,131MW of generation caused a rapid fall in frequency which in turn caused a further 350MW of embedded generation to disconnect from the system under rate of change of frequency (RoCoF) protection.
If a cyber-attack on some solar farms or battery systems has an impact limited to a few hundred MW, it would be unlikely to cause a widespread loss of supply. However, numbers are increasing and it is not difficult to see a future situation where it is possible to cause a supply capacity swing in excess of 1.5GW from technically similar renewable energy sources or battery storage etc.
Further into the future, it is possible to envisage a lot of stuff ‘behind the meter' being more vulnerable than the conventional network. Vehicle to grid (V2G) battery charging and other short-term loads (or supplies) could be problematic.
It's often said that staff are the greatest weakness in cyber security - what should the networks be doing about this?
Ahmed Kotb, IET digital lead: Cybersecurity awareness and training for staff is critical for protecting business and cyber threats. While companies' staff are their greatest asset, they can also be the greatest weakness. Ensuring that all members have a good understanding of cybersecurity is key. Furthermore, those that operate the technology on a day-to-day basis should be aware of where vulnerabilities could come from, should scan the infrastructure and identify weak points and anticipate how an attack may occur. Being proactive is a must when it comes to being fully secure.
Has the introduction of the EU-derived NIS Regulations (in effect from May 2018) made a difference to cybersecurity in the energy sector?
The purpose of the Security of Network and Information Systems Regulations is to enhance cybersecurity for operators of essential services. While it is still relatively early days, the NIS Regulations [derived from European Union Directive 2016/1148] has helped create a journey for the energy sector, as well as organisations working on critical national infrastructure, setting a trail that many others will learn from and follow. As our technology dependencies and collective liabilities continue to increase, this will be an important focus for organisations.
Cyber-attacks often go unreported - what is your assessment of the number or frequency of attacks on our national critical infrastructure?
Even though cyber-attacks occur with great frequency and intensity around the globe, many either go unreported or are underreported. This leaves the public with a false sense of security about the threat they pose and the lives and property they impact.
As mentioned, the NIS Regulations are in place to help support reporting and forces organisations to engage or risk fines. Within the UK the National Cyber Security Centre would be keen to ensure that UK national assets are secure and safe.