Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1094485
18 | 22ND - 28TH MARCH 2019 | UTILITY WEEK Operations & Assets Roundtable Covent Garden Hotel, London, 1 March 2019 Keeping up with cyber security Cyber threats are one of the biggest issues facing utilities and you are only as good as your weakest link. A Utility Week roundtable supported by Cisco discussed some key areas of vulnerability. Adam John was there. O rganisational weak links were at the top of the agenda as utility indus- try leaders met at the Covent Garden Hotel last month. Identifying these weak cyber links in utility organisations has become a priority in recent years. Responding to the question of where the potential weakest links lie, one delegate expressed concern about third parties not understanding cyber security and the risks that surround it. "You have got a lot of third parties bring- ing offerings to bear who don't necessarily understand cyber security, in some cases in its most basic form, potentially exposing networks and organisations to big risk," the attendee said. Another delegate described a real-life sce- nario where malware had been present on a laptop used on a utility site, which was then unintentionally uploaded into the system. In this case a technician had used the internet technology brings comes the problem of how to maintain the integrity of the system across multiple pieces of equipment and networks. The group discussed this issue in some depth. Delegates were asked how utility com- panies could ensure their remote workers are maintaining the integrity of the supply system. Several championed the need for authenticating employees and having a sys- tem of security clearance for others. One said: "For our critical sites we have to have security clearance for those who have the ability and understanding to create a problem. "We will stipulate in contracts that there is a requirement for levels of clearance or vetting to be done." Another described how focus in the water sector is o‰en on big asset sites as opposed to smaller and more vulnerable sites. They said: "In our sector there has been a lot of focus over the years on protecting those big water treatment sites and that physical protection. "Actually the weakest point in the distri- bution network is very o‰en in the service reservoirs where the final chlorination goes into the water before it goes into the custom- er's taps. "Those are unmanned sites, or sites that someone might go to once a week depending on whether there is an outage or a problem." Security compliance The discussion then moved on to whether utilities were complying with the regulation of security of network and information sys- tems (the Network and Information Systems regulation, or NIS), and if there were any common areas where companies were failing to comply. Introduced by the European Union, NIS is intended to establish a common level of security for the IT networks of those operat- ing essential services. One delegate described how their com- pany complied with the NIS regulations, specifically looking forward to protecting against future threats. They said: "Whenever we are starting to design these new systems, we have a big focus on the impact of cyber security. "We make sure we design the system inherently cyber secure, that we understand the risks and the potential areas they can be compromised and, also, what the broader impact is. "We need to start understanding the implications of every architectural decision we'll make and every interface we use." to resolve an issue and the malware was sub- sequently uploaded in the process. "Even if you segregate operational tech- nology and information technology net- works, there is no air gap. The trouble is engineers are engineers, and they will do whatever they can to make something work," they said. Ensuring IT systems are secure has become a paramount concern, yet physical barriers are still needed to prevent people who wish to do harm from entering a site, as one delegate was keen to point out. "I think it is quite obvious that people are one of the easiest ways into any organisation. You can make things very technically secure, physi- cally secure, but if someone opens the door for you it is easy to get in." Developments in technology over the past two decades have allowed organisations to utilise remote workers, such as employ- ees working via laptops. Yet with the ease