Utility Week

UTILITY WEEK | JUNE 2022 | 15 Energy "It's not helpful to share best practice, which tends to be about learning from mis- takes, as no one wants to admit to those because of the fear of getting penalised. The key is having an open culture – the fines and penalties are driving the wrong behaviours, which in turn is adding to the risk." Another difficulty flagged up was the need to forecast cybersecurity spending over five-year price reviews: the situation changes on a monthly basis, said one, and therefore doesn't align with the funding model. There was, however, confidence that the increased risks and need for more invest- ment were being taken into consideration by regulators, given allocation for cybersecurity spending was increased in the RIIO-D2 net- work price control. This sets out what the gas distribution network companies were expected to deliver for energy consumers from 2021-26. Other security threats Energy network respondents were almost twice as likely (44%) to rate harm through direct action as a high risk compared with other sectors (25% retail and just 8% water), the reason being that most assets are above ground, compared to underground for water. Those looking to cause harm to a utility might find it easier to cut down a tower pole or attack a substation, which according to one respondent would be made easier with open data as it would enable them to pin- point where they could do the most harm. Comment from Marsh Delvin Tillet, cyber placement specialist, Marsh The digitalisation of the utilities sector, particularly energy infrastructure, which previ- ously used closed standalone Industrial Control Systems (ICS), has been replaced by Supervisory Control and Data Acquisition (SCADA). These systems are built on openness and interoperability. Internet-of-Things appli- ances, such as interconnected sensors and instruments, vastly increase the attack surface for such organisations, with threat actors targeting Operational Technology (OT) and Industrial Control Systems (ICS). Clients are increasingly concerned with the prospects of physical damage resulting from cyber events. This has been driven predominantly by the "Silent Cyber" initiative by regulators such as the Prudential Regulation Authority and Lloyds of London requiring insurers to remove "Silent Cyber" from policies and either affirm or exclude cyber risks. The network operator acknowledged, however, that such acts of vandalism or worse have not been happening in practice. "Most of the attacks we have at the moment are the˜ orientated," they said. Water companies, meanwhile, felt that although in theory it would be possible to poison water supplies, its impact would be localised, hence perhaps the reason why no respondents from the water sector scored ter- rorism as a high-risk factor, though should it become a reality, the impact would be high. Almost seven out of ten (67%) said it would have a high or extremely high impact on their business. Digital complexity An inability to manage growing digital com- plexity was rated as a high-risk factor by almost four out of ten all respondents (39%), with the highest score coming from those in water (50%). Issues flagged up in interviews included fears over having the right skills and the move to open data. Interviewees pointed to demand outstrip- ping supply of those with digital and cyber skills and data analytics. "We are seeing a much higher level of churn – last year we lost over half those in our data analytics department," reported one interviewee. Regulation and digital funding One issue that arose during conversations with respondents was that regulation and IT investment were not natural bedfellows. This was raised under the need for investment for cybersecurity, but as an issue it was seen as wider than that, and could potentially add to the difficulties of managing digital complex- ity. Again, that is because five-year funding periods don't necessarily match the pace of change, but also investment spending is cal- culated on what has gone before as opposed to what might be needed in the future. Said one network director: "The funding model for IT investment is not right. What I need to provide to Ofgem is a very, very detailed investment case and business plan that does not lend itself to digital innovation. "Another important factor is the funding for IT comes under capital investment. There is no common set of operational investments for aspects things like developing skills or developing services." Denise Chevin, freelance writer in association with "We're ultimately building a system in the future that is more exposed to cyber breaches because of coordinating activities on the demand side."

• Cover