Utility Week

UTILITY WEEK | 28TH FEBRUARY - 5TH MARCH 2020 | 23 Operations & Assets are worth the rewards of improved customer experiences. But moving fast also introduces challenges and uncertainties about where vulnerabilities are hiding in networks and applications. "They may procure and integrate solu- tions made up of commercial off-the-shelf technologies such as Windows and TCP/ IP to become 'smarter' and take advantage of digital innovation. This creates vulner- abilities and, when combined with weak risk management practices such as not patching system vulnerabilities on a regular basis, increases the chances of a successful breach," says Mosca. How ethical hackers help As both the intensity and frequency of cyber- attacks increase, the utility sector is increas- ingly turning to ethical hackers to identify vulnerabilities in systems. Essentially they are security experts, generally from outside the organisation, who role-play as mali- cious attackers and attempt to compromise the security of its systems – by emulating phishing attacks, trying to infect workers' computers, or perhaps steal data – using all the tools, techniques and procedures that are seen used by cyber-criminals, albeit in a safe and controlled environment. They use technical assessments known as penetration tests to find as many technical vulnerabilities as possible in a pre-defined system. Meanwhile, so-called red team exercises mimic a real-life attack against a company to evaluate the effectiveness of its security defences against cyber risks – from technical to policy to people, from a disgruntled employee or casual hacker to a hacktivist or state-sponsored cyber-criminal. Exposing gaps in security policy and pro- cess helps clients to strengthen their cyber defences and provide assurance to the busi- ness, its stakeholders and regulators that its systems are as robust as possible. "Typically, this kind of activity helps com- panies mitigate risk by addressing known vulnerabilities before criminals do," says Daniel Smith, a security researcher and white hat hacker (aka a good guy) at Radware. What emerges is a digital game of cat and mouse. "When vulnerabilities like 'Shitrix' are announced, we can see the spike in scans from both criminals and researchers. In gen- eral, researchers are scanning the internet to discover how many vulnerable systems are exposed online. Criminals are scanning the internet to create a list of vulnerable systems that they will revisit once a proof of concept hack or exploit has been published," Smith explains. Bearing in mind that this is about trying to simulate real life security threats, the devi- ous and creative lengths that ethical hackers (and their not-so-ethical counterparts) might go to in order to breach systems should not be underestimated. We're not just talking about writing code to hack into online systems remotely; it could also involve breaching the physical security at a location to access computers (effectively breaking in), targeting unwitting employees, for example through social media sites such as LinkedIn, or even "dumpster diving", as our American friends would say. One expert I spoke to said hackers will even scatter memory sticks in a client's carpark in the hope that they'll be used by staff and subse- quently transmit viruses. "More targeted attacks could look to use insiders to physically get into a company, planting people to try to get access to sys- tems or going in through the supply chain and claiming to access systems for main- tenance purposes," says Anthony Young, a director at Bridewell Consulting. "With red teaming, you have a goal such as shut- ting down a system. You might spend three to six months trying to hit that goal and we won't be given any information other than which system the client wants us to access," Young says. The approach works because the men- tal process of trying to break into a system is very different to the process of trying to defend it, according to research conducted by Cranfield University. "If we are going to use an ethical hacker they have to think like "Any tests need to be scoped and executed carefully by certified specialists to avoid disruption to networks, systems and the service" Dan Mosca, cyber-security expert, PA Consulting continued overleaf

• Cover