Utility Week

UTILITY Week 16 05 14

Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government

Issue link: https://fhpublishing.uberflip.com/i/311841

Contents of this Issue


Page 21 of 31

22 | 16th - 22nd May 2014 | UtILIty WEEK Operations & Assets Market view O ur utility clients understand two key themes when it comes to cyber secu- rity: it is no longer solely an IT issue; and their sector is one of the most heavily targeted when it comes to cyber crime. The cyber threat is real, oen persistent, well organised and all too frequently success- ful. At the same time, the energy sector is going through unprecedented change. Tech- nical changes, such as the deployment of smart metering and smart grids, regulatory changes, and initiatives such as increased efficiencies in the way operational technol- ogy is managed, are all of significant impor- tance to those responsible for security. Not only is the problem real, it is evolv- ing rapidly. According to PwC's Information Security Breaches Survey, published in con- junction with BIS, 93 per cent of large organi- sations suffered a security breach last year. More alarmingly, the average time between a breach occurring and the victim being aware of the attack was over eight months. Attacks on utilities sector are becoming increasingly sophisticated. A well-publicised example was the Shamoon attack in 2012, where a carefully-craed virus was spread throughout the networks of multiple interna- tional oil and gas companies to disrupt the flow of oil and gas to local and international markets. The virus spread to 55,000 corpo- rate PCs and only luck prevented it from reaching the industrial control systems (ICS). A worrying statistic from a study con- ducted by the US Department of Homeland Security revealed that, of the incidents responded to by the department's cyber emergency response team between Octo- ber 2012 and May 2013, over 50 per cent of attacks occurred in the energy sector. Cyber criminals are oen indiscriminate, as the individuals and gangs simply seek to monetise their attacks, however some threats are more targeted, including targeted fraud and denial of service attacks and ransoms, where criminals threaten to disrupt web ser- vices until payment is made. Energy trading organisations where there is knowledge of forward pricing of fuels is a particular target. Other criminals do it "for the cause", usu- ally hoping to raise awareness of their cause through disruption of service or website defacements. In most cases, the attacks relate to the perceived support of a political issue by an organisation. As with espionage attacks, hackers are oen driven by real world events, making the risk of attacks specific to geography and company actions in relation to political events and issues a high one. Many energy organisations were targeted in 2012 as a part of Operation Save the Arc- tic. The group behind the attacks published the email addresses and passwords of execu- tives of a number of listed companies. Utility organisations need to be aware that business decisions such as pricing strategies, prod- uct offerings or expansion to new services or geographies can change their risk pro- file overnight, and they may inadvertently become targets. The recent backlash against energy suppliers over pricing and perceived market dysfunction is an example where the sector is a prime target for "hacktivism". Integrated energy companies, whether suppliers or upstream oil and gas operations, face multiple challenges to information secu- rity. Energy and power services are the linch- pin of any nation's critical infrastructure, and if there is a trade-off to be made between availability and security, security is oen likely to lose. More than any other industry, the energy sector's ageing systems and infra- structure cause serious security concerns. There is a high dependency on ICS within the sector. These have historically been built for reliability and longevity, and were devel- oped as standalone products, isolated from corporate networks with little consideration given to security. Historically, physical secu- rity has been an adequate security measure, but with ICS typically now connected to cor- porate networks and indirectly to the inter- net, additional cyber security is needed. Most utilities now operate in a complex business ecosystem with external partners and outsourced IT that may extend beyond national borders. It is a challenge retrofitting security to existing systems that were not designed with security as a consideration. Finally, the introduction of smart meter- ing fundamentally changes how energy suppliers interact with customers, and intro- duces new communications channels into back end systems, customer homes and the grid. Such systems can be open to hackers. The consequences of cyber attacks can be profound and wide ranging. The financial impact alone can reach millions of pounds, and that is without the reputational damage. However, it is not all bad news: cyber awareness is increasing within organisa- tions, with 51 per cent increasing their security spending last year. But there is no place for complacency. Cyber criminals are constantly evolving their techniques and are organised, patient and willing to make significant investments to accomplish their objectives. To prosper in the new cyber security envi- ronment, organisations must take charge of their cyber security. This begins with know- ing what your assets are and how to mini- mise exposure. Energy companies also need to know precisely what their cyber security strategy is protecting by prioritising corpo- rate resources to safeguard those things that are valuable to you and your adversaries. Too many companies try to protect everything and, in doing so, may leave their most valu- able assets vulnerable. As well as protecting what really matters, companies must ensure they have the appro- priate balance of people, processes and tech- nology. Today, a realistic security strategy is one that empowers an organisation to pre- pare for and quickly detect attacks. Ongoing communication and education can help all employees understand their roles in ensur- ing security. Organisations need to define and deploy rigorous security strategies to protect them- selves. Cyber attacks are inevitable, and organisations need to be ready to respond. If you are not actively looking for evidence of a security breach, you won't find any, and if you are looking but not finding anything, it's possible you aren't looking hard enough. James Rashleigh, director of cyber forensic services, PwC Splendid isolation… Cyber attacks are becoming more sophisticated, and many of them are directed against energy companies. James Rashleigh says cyber security is not just an issue for the IT department.

Articles in this issue

Archives of this issue

view archives of Utility Week - UTILITY Week 16 05 14