Network

NETWORK / 25 / FEBRUARY 2019 he adds. India Redrup, policy executive, genera- tion, at trade body Energy UK, con rms that a major cyber-attack against critical national infrastructure in Britain is a "top-tier threat to national security". She adds: "Su- ering the most severe form of cyber-attack leading to sustained loss of essential services, severe economic or social consequences, or a loss of life, is considered a matter of 'when', not 'if'." Are DNOs and DSOs at risk? The reality is that any system relying on so‹ ware technol- ogy to help distribute energy is a potential target. Redrup explains that the move by hackers in recent years to expand their focus beyond traditional IT networks to encompass operational technology targets such as ma- chines, systems and networks directly used to generate and disseminate power means that all energy infrastructure is potentially vulner- able. "Operational technology cyber-attacks go beyond stealing data to potentially shut- ting down power grids and causing signi cant harm," she adds. Whitehouse believes that energy networks may be vulnerable because of the age of some of their technologies. "They [rely] on a number of ageing technologies with rela- tively low levels of cyber resilience," he says. These include supervisory control and data acquisition (SCADA) systems and industrial distributed control systems. Whitehouse adds: "These systems are exposed to signi cantly more vulnerabilities than others due to their extended lifespans, lack of relative maturity, low levels of security engineering and critical remote code execution issues." As one example, Stuxnet was able to wreak havoc by targeting Iranian SCADA systems and programmable logic controllers to disrupt Iran's nuclear programme. The UK National Cyber Security Centre (NCSC), the part of GCHQ set up to help protect critical services from cyber-attacks and manage major incidents, provides another. The NCSC says that since 2011 a cyber-espionage group has allegedly been targeting industrial control sys- tem so‹ ware at energy companies. In its latest campaign, the group, which has a history of targeting companies through their supply chains, successfully 'trojanised' legitimate industrial control system (ICS) so‹ ware, the NCSC says. To do so, the group compromised the websites of ICS so‹ ware suppliers and replaced legitimate les in their repositories with their own malware-infected›versions. "Subsequently, when the ICS so‹ ware was downloaded from the suppliers' websites it would install malware alongside legitimate ICS so‹ ware," the NCSC explains. "The mal- ware included additional remote access func- tionalities that could be used to take control of the systems on which it was installed." The organisation adds that "compromised so‹ ware is very diœ cult to detect if it has been altered at the source, since there is no reason for the target company to suspect it was not legitimate.›This places great reliance on the supplier, as it's not feasible to inspect every piece of hardware or so‹ ware in the depth required to discover this type of attack." Assessing systems As a matter of priority, SCADA and other industrial control systems at power and gas networks should be assessed to determine how secure they are, says Whitehouse. "A general reluctance to actively assess the Secure configuration Apply security patches and ensure the secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices. Managing user privileges Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs. Network Security Protect your networks from attack. Defend the network perimeter, filter out unauthorised access and malicious content. Monitor and test security controls. Incident management Establish an incident response and disaster recovery capability. Test your incident management plans. Provide specialist training. Report criminal incidents to law enforcement. Set up your Risk Management Regime Assess the risks to your organisation's information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers. User education and awareness Produce user security policies covering acceptable and secure use of your systems. Include in staff training. Maintain awareness of cyber risks. Monitoring Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse logs for unusual activity that could indicate an attack. Malware prevention Produce relevant policies and establish anti-malware defences across your organisation. Home and mobile working Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices. Protect data both in transit and at rest. Removable media controls Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system. 10 Steps to Cyber Security Defining and communicating your Board's Information Risk Regime is central to your organisation's overall cyber security strategy. The National Cyber Security Centre recommends you review this regime – together with the nine associated security areas described below, in order to protect your business against the majority of cyber attacks. P rod u c e s u pp o r ti ng r isk m a na g e m e nt po li c i es M a k e c yb e r r i sk a p r i o rit y f o r yo u r B o a r d De te r m i ne yo u r ris k a p p eti t e www.ncsc.gov.uk @ncsc For more information go to

• Cover