Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/480604
UTILITY WEEK | 20TH - 26TH MARCH 2015 | 17 The supply chain S P E C I A L R E P O RT: PA RT 3 / M A RC H 2 0 1 5 FACT FILE GREAT FAILURES OF THE RECENT PAST 55 million people were left without power in the north-east of the United States in August 2003 670 million people were affected by the July 2012 India blackout – 10% of the world's population 20 million gallons of water burst out of an ageing water main in Los Angeles, California in 2014. At its height, the breach set loose 35,000 gallons of water every minute. O ver the past five years, utilities have invested about £45.8 billion in works projects, with suppliers playing a key role in ensuring work runs on time and on budget. Only when utiliy companies truly under- stand which suppliers are in their supply chain, and the risks presented by each, can they start to improve resilience. Amid a barrage of challenges including new legislation, carbon reduction targets, mounting construction costs and critical infrastructure upgrades, here are five top W ith increasing reliance on industrial control systems and operational IT against a backdrop of rising cyber crime, it's time utilities formed more robust cyber security strategies. The cyber security risks associated with in- dustrial control systems and operational IT are increasing. If organisations fall victim to a cyber attack, there could be an impact on operations, trust, reputation, safety, competitive positioning and the financial stability of these organisa- tions and national economies. Major critical infrastructures, such as utilities, have become valuable targets because of the potentially high profile impact of an attack. The trend of targeted malware that began with the notorious 2010 Stuxnet computer worm, which compromised Iran's nuclear fuel processes, is continuing with advanced malware such as Havex and BlackEnergy. The Havex malware scans its environment to establish if other systems are present and communicates sensitive information to potential attackers. The other recent threat, Black Energy, provides attackers with ways of remotely controlling com- promised systems. Operational technology is increasingly constructed from commercial off-the-shelf technologies, which simplifies operational resilience by reducing development time, cost and mainte- nance. This, however, introduces security risks into the industrial environment. Further to this, organisations are digitising their activity by bringing various technology domains and third parties closer together. While this promotes integration across the supply chain, external access to critical assets is also increased. This combined use of standard IT technologies and the increase in connectivity leaves operational technology vulnerable. To build trust and confidence in critical systems, organisations need to understand the risks associated with them. When considering overall resilience, cyber security requirements must be considered as cyber vulnerabilities can undermine operationally resilient systems. Justin Lowe, energy security expert, PA Consulting Group 2 Understand the threats – identify the range of cyber security threats through 'what if' scenario planning. This includes recognising threat sources, understanding the ways these might present themselves and assessing the likelihood of an incident. 1 Understand the systems – it's vital to thoroughly understand the scope, operation and protection of control systems. This includes identifying all existing control systems, their location, internal and external interfaces, ownership and accountabilities, access rights and business criticality. 3 Understand the impacts – an evaluation of a predetermined series of cyber security scenarios, covering all situations which have a negative impact on operations now and in the future, will lead to an understanding of the overall business consequences of breaches. 4 Understand the vulnerabilities – identify and analyse all the technical, procedural and management vulnerabilities in the control systems to assess overall business risk. A prioritised action plan can then be developed to address them. TIPS FOR DATA RESILIENCE "The enormity of the challenge of securing utilities against cyber attacks could not have been foreseen when much of our current infrastruc- ture was built." Andy Settle, chief cyber- security consultant and head of practice, Thales UK ways to improve the resilience of your supply chain, via the supplier base: Keys to a resilient supply chain: 1) Set clear standards. Utilities should communicate to suppliers clear standards in business critical and high-risk areas such as health and safety, compliance, environment and ethics. This builds in resilience across the supplier base right from the pre-qualifi- cation stage. 2) Work in collaboration. Utilities compa- nies oen share the same suppliers. It is dif- ficult for any single firm to collect, maintain In association with: No organisation is an island and update information about thousands of suppliers. Working together gives much more surety that all suppliers have been assessed in a methodical, consistent way. This com- munity approach also enables utilities firms to easily identify and source alternative sup- pliers in the event something goes wrong. 3) Verify data. Data is only useful if it's accurate. Once suppliers make claims, com- panies can protect themselves by check- ing the information is correct – via desktop checks, using third party data feeds and car- rying out on-site audits. 4) Diversity. In the event of a supply chain failure, firms that have a diverse supply chain will be better placed to ensure contin- uous supply. By including firms of all sizes, utilities can get a 360 degree view of how to build resilience. 5) Map the supply chain. Once utilities firms have a robust database of main suppli- ers, they should consider mapping the sup- ply chain to identify suppliers through all the tiers. With a complete picture of informa- tion, companies can proactively identify and address risks – such as reli ance on single suppliers Tom Grand, regional director for the UK and Ireland, Achilles Protecting against cyber attack DATA SECURIT Y