Issue link: https://fhpublishing.uberflip.com/i/690456
NETWORK / 8 / JUNE 2016 I f energy networks aren't concerned about the threat of terrorism via cyber attack, they should be. This was the blunt message from General Keith Alexander, former first commander of United States cyber command and former director of the National Security Agency, as he spoke to delegates at Accenture's international utilities and energy conference earlier this year. Energy networks provide a country's life- blood and are a prime target for individuals or, more worryingly, organisations, looking to bring a country to its knees. This is no idle threat. Attacks on national infrastructure have happened, and are continuing. It's popular to use the blackout across Ukraine late last year as an example, but other instances where essential networks have been infiltrated and immobilised by hackers are not hard to find. Estonia's digital network was paralysed by an army of botnet "zombies" in 2007 which relentlessly bombarded sites with page views until the entire system crashed. In the years since, attackers have evolved fast, exploiting new and hard to predict points of vulnerability in organisations, governments and infrastructure. The potential for an attack on UK infrastructure is real and alarming. In November last year chancellor George Osborne admitted that the Islamic extremists of Isis considered National Grid a target. "They do not yet have that capability. But we know they want it, and are doing their best to build it," he said. Going digital Against this backdrop, energy networks are slowly transitioning into the digital era, connecting their assets to online networks and exploiting remote monitoring to improve the performance of the system. As they do this, so the number of opportunities for infiltration by the unscrupulous increases. Networks are keen to respond to this growing risk but are hindered because regulatory requirements for cybersecurity are lacking and the logical step of looking to other sectors for workable standards and best practice is linked to fear of reputational damage. Energy networks were never designed to be modern cyber fortresses, and many parts were not even designed to go digital. This leaves information and security leaders in energy networks in a precarious situation. Paul Jenkinson, IT security and technical architecture manager at UK Power Networks told delegates at Utility Week Live last month that he's sure CIOs in the sector suffer sleepless nights. If network companies weren't aware of their potential vulnerability, last year's attack on Ukraine should have been a wake-up call. A December power outage took 225,000 customers offline as a result of a Russian hacking group known as Sandworm. How did they infiltrate a country's entire power grid? Three simple emails over a period of six months. When the route to getting past an organisation's defences is so mundane, education is key, says Andrew Barrett, head of utilities at Palo Alto Networks, a security technology company. Every employee must be informed about the risks of opening emails and taking USB sticks home, and be aware of the potential consequences of such actions, especially in the light of ever more sophisticated malware-loaded email attacks. These systems now have the ability to specifically tailor an email to the receiver by trawling through an inbox and learning what language is most likely to get person to click on an infected link – what do they like? What are their hobbies? Attacking a company through digital avenues such as this is relatively cheap. Defending against them is not. Adopting standards They key to avoiding the worst consequences of a cyber attack is knowing how to defend yourself, and this involves putting robust standards for system operation in place across operation technology and IT platforms. Ofgem offers little guidance today as to what is considered either essential or best security practice for energy networks, and in this vacuum Jenkinson says UKPN looks for non-sector-specific IT standards to adopt. This can only be a smart move. Compared with other sectors, utilities are relatively late to the digitisation game and there is much they can learn from sectors that have already discovered the weaknesses this process can expose. Sadly, learning from others is not always straightforward, because fear of reputational damage ošen means that cyber attacks on firms go unreported. The attack on telecoms company TalkTalk demonstrates why this is the case. Only 4% of the company's four million customers were affected, and none of those customers lost any money. But as a result of its handling of the event, the company lost 101,000 customers and suffered costs totalling £60 million. Jenkinson believes there is a role for better regulation in defending against cybercrime, but he cautions against a prescriptive approach which would lead to "tick-box" security. Jenkinson also said the Network Innovation Alliance (NIA) should be used more widely to fund cybersecurity innovation alongside other operations such as asset maintenance and data analytics. Some networks are already doing this. National Grid Electricity Transmission launched two projects in January this year. The first is designed to improve the cybersecurity culture in operational areas. The second will define a framework to reduce cyber risk by procuring intelligent assets. National Grid says that because there is a lack of awareness when purchasing, upgrading and deploying IT and operational technology assets, vulnerabilities and malware are introduced. Both projects are due to take four years. Beyond using NIA funds, National Grid CYBERSECURITY 1,500 2005 2007 2009 2011 2013 2015 1,000 500 0 n Hacking n Malware n Social n Error n Misuse n Physical n Environmental Number of breaches per threat action category over time