Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1214913
22 | 28TH FEBRUARY - 5TH MARCH 2020 | UTILITY WEEK Operations & Assets Analysis C yber-attacks represent one of the big- gest operational risks facing the utility sector and ethical hackers allow you to see your systems through the lens of a cyber- criminal so you can plug security gaps. Why the need for ethical hackers The the of millions of customer records, the tampering with of industrial control systems to alter chemical and flow levels within the water supply, and computer bugs that bring the energy grid to a standstill – no, these are not storylines for a blockbuster thriller à la Die Hard 4, but scenarios that are giving security experts across the utility sector no end of sleepless nights. Last year, EY ranked cyber-attacks along with extreme weather events as the big- gest operational risks for utility companies. Meanwhile, a 2016 report from Cambridge University's Centre for Risk Studies found that around 15 per cent of all cyber-attacks logged in the UK were directed at energy companies, giving the energy sector the dubious accolade of being second only to financial services as the most at-risk sector. "Utilities are a so target for malicious adversaries and a successful attack has the potential to cause mass disruption," warns Dan Mosca, a cyber-security expert at PA Consulting. "They oen operate legacy net- works and systems that are not 'secure by design'." Against a backdrop of rising geopoliti- cal tensions, the likelihood of an attack on critical national infrastructure has moved from worst-case scenario to distinct possi- bility with "cyber" seen as the new weapon of choice. "This has already been seen in the attacks that caused electricity outages on the Ukraine grid in 2015 and 2016 and the incident in 2019 on the Western US grid where hackers used firewall vulnerabilities to cause periodic 'blind spots' for operators," Mosca says. The Cambridge report estimated that a cyber-attack on the electricity distribution network in the south and east of the UK could disrupt transport, digital communica- tions and water services for up to 13 million people and cost the UK economy between £49 billion and £442 billion. Attackers aren't just looking to cause costly network outages or gain unauthorised access to sensitive data but are also looking to cause physical dam- age to equipment to disrupt production or cause physical harm. Risks aside, a ramping up of legislation is helping to focus minds and prompt util- ity players to beef up the resilience of their systems for compliance purposes. GDPR has put the spotlight on customer data breaches, and failure to comply with its provisions potentially entails fines of up to 4 per cent of turnover or €20 million. Similarly, the UK's Network and Information Systems (NIS) regulations, the first formal cyber-security regulations for the utilities sector, adopted into law in May 2018, requires operators of essential services to take "appropriate and proportionate" security measures. At the same time, with organisations under increasing pressure to embrace digi- tal transformation, juggling business agility and security requirements is an inevitable but growing headache. For many corpora- tions, the security risks of moving forward quickly with new information technologies To catch a thief In this special report, Rachel Willcox investigates how energy and water utilities are using the services of ethical hackers in the war against cyber-criminals seeking to rob or vandalise your business.