Network

CYBER SECURIT Y security of these systems also means that the full extent of exposure for organisations using them is oen not properly understood at a senior management level," he cautions. It's not just a matter of safeguarding cur- rent operational technologies, the experts say. As the smart grid develops in scope and sophistication, so does the potential level of vulnerability caused by so many devices being connected to the Internet. "An increas- ingly digital and connected world creates both greater opportunity as well as heightened cyber exposure for critical infrastructure," Redrup says. The smart grid of the future will require greater levels of protection as it becomes in- creasingly connected. That will entail a more rigorous approach to cyber security when implementing future technologies. "Smart grids should mandate a far greater degree of rigour and transparency around cyber security from their designers, suppliers, implement - ers and operators than they do today," says Whitehouse. "We need to ensure that security is consid- ered from the outside, is continually evolving and that updates are rolled out in the opera- tional technology world similarly to how they are used in the IT world," he concludes. NETWORK / 26 / FEBRUARY 2019 Staying secure: measures to protect power and gas networks from cyber-attacks 1. Keep abreast of the threat. The UK National Cyber Security Centre's (NCSC) quarterly critical national infrastructure threat bulletin provides an extremely valuable resource to companies in the energy sector, especially when combined with those of existing sector-wide channels such as the Energy Emergencies Executive Cyber Security Group, the Energy Systems Information Exchange, and Energy UK's own Cyber Security Working Group. 2. Embrace the NIS Directive and ISO27001 accreditation. The EU security of Networks and Information Systems directive (NIS Directive) became law in the UK in May 2018. It requires operators of essential services such as power and gas to undertake "appropriate and proportionate security measures to manage risks to their network and information systems" and notify serious incidents to the relevant national authority. The participation of industry is crucial in the implementation of the directive, says the UK NCSC. ISO 27001, meanwhile, is a specification for an information security management system (ISMS). The ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. 3. Ensure staff are alert to phishing – the practice of sending emails purporting to be from reputable companies to get individuals to reveal information. The most common type of cyber-attack is phishing scams, Energy UK says. "Phishing and spear- phishing emails remain the most common [cyber] attack vectors. Many members had a number of surges last year where significant numbers of staff received similarly structured emails. In each case, any common URLs were blocked, as were any common source email addresses." 4. Quickly fix known vulnerabilities, usually via patching, and improve network security. Failure to fix vulnerabilities is likely to result in increased risk of compromise of systems and information, the NCSC says. The connections from companies' networks to the Internet and other partner networks also expose systems and technologies to attack. An organisation's networks can span many sites, the use of mobile or remote working, and cloud services, making defining a fixed network boundary difficult. Think about where data is stored and processed, and where an attacker would have the opportunity to interfere with it, the NCSC says. 5. Manage user privileges. If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that user's account will be more severe than it need be, the NCSC says. 6. Educate users. All the users at an infrastructure company have a critical role to play in keeping the organisation secure. Systematic delivery of awareness programmes and training can increase security expertise as well as helping to establish a security-conscious culture, the NCSC points out. Industrial Control System MALWARE Example 1: Third Party Software Provider TROJANISED SOFTWARE Cyber-Attacker 3rd Party Software Vendor Source: UK National Cyber Security Centre

• Cover