Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1094485
UTILITY WEEK | 22ND - 28TH MARCH 2019| 19 Operations & Assets Views from the table: 1. Third party contractors do not always appreciate the cyber threat. 2. Physical barriers are the fi rst line of defence. 3. A system's integrity must be maintained over diff erent pieces of equipment and diff erent networks. 4. Smaller sites can often be ignored but can be the Achilles' heel of a system. 5. The new NIS regulations make cyber security a legal obligation on utilities. Five top takeaways Brought to you in association with: The new NIS regulations are explored more fully in the analysis, p20 "I think it is quite obvious that people are one of the easiest ways into any organisation. "You can make things very technically secure, physically secure, but if someone opens the door for you it is easy to get in." Steven Gough, DSO technical authority at SSEN "We have to reduce our costs, we have to do things faster but not at the sacrifi ce of security where ever we can. It is diffi cult balancing almost on a daily basis." Nick Needham, cyber security and resilience manager, Severn Trent "As a sector we are open to people to come and give us advice on how we should be looking to protect our assets. "The problem we have is everyone says 'we have the box that does everything for you'." Paul Smith, CISO, United Utilities One delegate said they have used the NIS framework as a "strategy" as well as a regu- latory requirement. For the nal part of the roundtable, del- egates were asked to consider the cyber security challenges faced by organisations transitioning to new business models, including interconnections with external third-party networks over which they have no control. One delegate posed the question of how utility companies can ensure other compa- nies that are using Internet of Things-type technology are compliant and deal with security issues. The example of Amazon Alexa-enabled devices was cited, where cus- tomers have reported the talk-activated tech- nology being used by opportunists ordering online products by simply talking through an open window. The group then considered how such devices pose a risk to security. In one example, one delegate wondered if someone would be able to hack into a heat- ing system through a device such as Alexa. Another was of the view that not all cus- tomers are technically savvy and may be unaware of the risks posed by leaving the technology unprotected. Further concerns were raised about the di€ erence between physical protection and cyber protection. One delegate said: "People will do things on site with technology because they can, it's not a big deal. But they won't go on site without their hard hat because that is heav- ily regulated and they will lose their job." Another agreed. They said: "When it comes to technology, because it is so varied, it is less prescriptive. "There are some standards of protec- tion but you are basically down to your own principles of how you verify and construct the controls around those assets as to how secure they are."