Utility Week

UTILITY WEEK | 20TH - 26TH MARCH 2020 | 23 Customers continued overleaf case, though," the delegate added. "We just set a mandate from a centralised authority that people feel disconnected from. Oen, non-conformance then becomes the every- day activity and then that drives board cul- ture again." But many of the delegates agreed that the strong health and safety ethos that already exists within many utilities could be an advantage when it comes to embedding a cyber awareness culture. "All cultural shis take a little bit of prodding," said another guest. "But it's a bit like the 'hard hat' cul- ture – eventually people come to know it's the right thing to do." Getting employees to tell their stories, was another technique shared, something oen used in health and safety training to explain the consequences for others of wrong behaviours. "In terms of a cyber secu- rity scenario, then, could we ask the person who clicked on that malware message to say why they did it? Why they were lax?" asked one delegate. "And to share how they now understood it could have taken out produc- tivity for an amount of time? Yes, possibly." Some delegates felt that a huge driver for organisational cyber awareness could be the chief executive going to prison for a major breach. "You'd find it taken a lot more seri- ously then." But cyber security throws up challenges more complex than health and safety, argued another speaker. If someone leaves a door open and a fire starts, the attribution is proven easily. Whereas an administrator in a carpeted environment leaving a Post-it Note with coded credentials around is a harder matter to prove." Making this feel real to senior manage- ment can be helped by showing how cyber security is linked to organisational resil- ience, suggested one operator, "putting cyber security and resilience together". "Regulator Ofgem talks about our 'cyber resilience plans'. It [resilience] is starting to come closer to cyber – and it's the organisa- tion's resilience ultimately. That's how you can get buy-in. Running an executive 'cyber media response plan exercise' proved a real eye- opener for one company's culture, the forum heard. A couple of security alerts were quickly escalated, followed by a ransomware announcement on the website that it had been hacked. Staff had to field media ques- tions, such as whether vulnerable people were going to be warm that night. "The fact they could not answer the questions they thought they could, really drove the message home. It was an incredibly useful tool." Brought to you in association with Cyber-resilience needs to be embedded within a utility's organisation. U K utility companies face numerous challenges, includ- ing increased operating costs, a competitive market and a volatile economic environment. One way in which firms are responding is to connect previously segregated operational networks into their corporate IT, supported by sensory information technology. This has clear ben- efits, such as improved efficiency and the ability to provide better information to custom- ers. However, increased convergence also brings with it an increased threat of hostile cyber- attack, undermining efforts to provide better quality services and presenting additional reputational risks. To mitigate this threat, many companies are investing strategi- cally to embed cyber-secure thinking into their organisational cultures. Employees are still the most common targets for cyber-attackers trying to gain access to a firm's network, so it's important that they are made aware of threats, beyond phishing campaigns, and are able to recognise suspicious activity in their daily lives. A key enabling factor in developing this culture is to provide a facility for anonymous reporting, so that inci- dents can be reported and assessed without employees automatically feel- ing that they are to blame. Companies are also asking staff, in a structured format, to share experiences of cyber- incidents they have been involved in and how they were supported throughout. There is evidence that these approaches can transform cul- ture by empowering employees with the confidence to report issues and incidents. Safety regulations have also been a key driver in develop- ing a culture of incident detection and report- ing. Following major cyber-attacks on power distribution, such as that seen in Ukraine, UK utility companies are har- monising best practices to minimise the effects of security breaches on safety. This requires com- panies to undertake an impact analysis, looking at the systemic flow of a cyber-incident. How could an attack result in harm, if no further controls were implemented? Keeping up to date and modelling prevalent threats is fundamental for assessing safety and security risks to employees and consumers, as well as establishing the likely targets and points of weakness across operational technology and information technology estates. The goal of any utilities company in the event of a cyber-breach is to return to normal operations with minimal disruption. To ensure this is possible, it is important that firms invest time and effort in building operational resilience. If an organisa- tion can maintain trust in the integrity of system output data on the status and health of the network and rely on well-practised response and recovery plans, the impact of an attack can be kept to a minimum. Opinion Scott Bartlett Cyber security head of practice, Leonardo A cultural approach to cyber-security "Keeping up to date and modelling prevalent threats is fundamental for assessing safety and security risks to employees and consumers."

• Cover