Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/449717
utILIty WEEK | 23rd - 29th January 2015 | 27 Customers Market view T he electricity grid is rightly seen as one of the UK's great achievements of the 20th century. In the space of less than 100 years it has become critical to our economy, well-being and comfort. However, in the 21st century the utilities are increas- ingly vulnerable to threats they were never designed to cope with – such as cyber attack. While initial attempts were made on criti- cal infrastructure during the 1980s, the first decade of this century has seen the potential for attacks, and their consequences, explode. This proliferation of security threats is largely due to the way in which commu- nication takes place in the electronic age. Previously, the limits of technology meant that lines of communication were limited to dedicated links between discrete parts of the infrastructure, such as power stations, so any attempt to attack this would require physically interrupting the link. As more and more communication moves to the internet for reasons of efficiency and ease of use, there are far more options available for attackers to infiltrate IT systems. The result is that attackers could now strike almost anywhere along suppliers' communications infrastructure. If this was limited to links between utility companies and their workers this would be bad enough. However, one major result of the current information revolution has been increased connection with the end consumer. For example, via smart meters. This has immediately increased the potential risk to utility providers, because every smart meter is a potential means to attack the network. Suppliers are aware of this. In a US survey in 2012, 43 per cent of respondents believed that the most vulnerable segment of the grid was the end user. If this security vulnerabil- ity is not addressed, it will render the rest of utility companies' security a Maginot Line, a supposedly impenetrable defence that turns out to be illusory when it is needed. When looking to defend these new ave- nues of attack, utilities must accept that the genie is now out of the bottle: there is little to no chance of returning to dedicated lines of communication, especially as direct con- tact with customers becomes more and more desirable. Instead, utility companies need to ensure their customers' security matches their own. The first step in this is education. Since increased communications have marked cus- tomers as potential targets for an attacker, companies have a responsibility to ensure the public knows the dangers involved. This includes teaching simple best prac- tice for online safety. For example, not reply- ing to emails or visiting sites purportedly from the utility company that do not have https addresses, and ensuring that home wireless networks are correctly protected to prevent attackers piggybacking these to gain access to connected devices. Companies will need to be careful how they present this information, to avoid giving the impression that communication between utilities and their customers is inherently non-secure. Instead, best practice should be presented as part of working online in gen- eral, rather than with the utility company in particular. To prevent the impression they are simply being broadcasted to, customers should also be encouraged to share potential security threats with companies. As with in-house IT security, the safest way to ensure customers are protected and ensure their buy-in is to reduce the opportu- nities to breach security as much as possible. For instance, corporate emails should be sent from addresses that specifically pre- vent replying, to ensure customers notice if a fake email suddenly allows this. Entering personal information, such as addresses or account numbers, should be minimised so that keystroke logging soware cannot pick up information. And visits by engineers and other personnel should be organised in a way that minimises the risk of impostors get- ting access to a customer's smart meter or other devices. Essentially, security should be locked down before any contact is made with con- sumers in the first place. Even with the best will in the world, there is always the potential for human error when dealing with IT security, especially when the public must be given direct access, however small, to your systems. As a result, even when consumers have been protected as well as they can be, and have fully bought into the need for security and safety, there will still be a chance that security will be breached – especially with customer numbers in the millions. In this instance, the most important thing is for companies to be sure they can trust their network and quickly identify any intru- sion. With every customer's home a potential access point, covering every single point on the network permanently is unrealistic. One way to compensate for this is with "trust anchors": parts of the system that the company can be 100 per cent certain are not compromised. These devices or services can then analyse the traffic they receive, rais- ing the alarm if it does not fit the expected profile or content. Companies do not have to rely on impossible standards from their cus- tomers, but can instead detect and react to potential threats as they appear. Chris McIntosh, chief executive, ViaSat UK Home guard The digital world is an undoubted benefit to utilities and their customers, but with every smart meter a potential access point for a cyber attack, how should utilities respond? By Chris McIntosh. How do you expect cyber attacks on US cities to change? Increase in frequency but focus still on IT systems 20% 23% 0% 57% 60% 50% 40% 30% 20% 10% 0% Increase in frequency, but expand to include operational technology and IT systems Stay the same Drop in frequency