Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/603117
UTILITY WEEK | 20TH - 26TH NOVEMBER 2015 | 21 Operations & Assets Market view R ecent data breaches in the telecom- munications sector have rightly raised questions about online security. Natu- rally, attention has turned to other markets, such as energy, as customers seek assur- ances that their personal information is in safe hands. So how secure is the energy market? And what can firms do to make sure they are on top of their game? There are two main tar- gets for potential hackers: an attack on the energy network or infiltrating energy compa- nies to gain customer data. Securing the energy network Although there is a financial incentive in targeting energy companies, some hack- ers can be motivated by the disruption they can cause to critical infrastructure by attacking the broader network. These attacks may be especially appealing to those looking to inflict harm on nations and gov- ernments, whether it is online "hacktiv- ists", terrorist organisations or unfriendly nation states. Breaches have occurred in the past but the impact has normally been contained; had this not been the case the impact could have been devastating. If someone was able to hack and crash the energy grid, they could cause widespread and sustained disruption for millions of people and inflict chaos on key businesses and transport networks. In a controlled test last year, a German IT security firm successfully hacked into utility control systems, giving them the opportunity to cut off power, water and gas to the entire German town of Ettingen. Given the potential consequences, the security of critical national infrastructure (CNI) is seen as a major priority by the gov- ernment, with colossal resources being dedicated to keeping it safe and secure. GCHQ, the Centre for Protection of National Infrastructure and other government bodies take a particular interest in protecting the UK's energy control systems, which send commands to keep the lights on across the nation. The security around these systems is continuously re-evaluated and any suspi- cious activity is treated extremely seriously by the authorities. Securing customer data The government's focus on protecting the energy network, and the level of sophistica- tion required to compromise control systems, means that a major compromise in this area would be difficult. However, critical national infrastructure is not the only potential target. Energy companies may also be attacked to try and extract useful data. Customers have witnessed the introduc- tion of increasingly sophisticated energy technology (such as smart meters), capable of recording granular information about their energy usage. When smart meters started rolling out across the UK, there was some concern about how the data would be handled. Energy suppliers are mandated by the government to put in place robust secu- rity measures designed to prevent unauthor- ised access to smart meter commands and consumption data. These security measures are audited on a regular basis and come under scrutiny from numerous independent parties. An area that has more significant risks is the extraction of personal information, such as email addresses, passwords and credit card details. These attacks are aimed at core billing systems and customer records, which can fall outside the scope of more exacting smart meter standards. It is important that energy companies use security systems to keep their websites and databases free from intrusion. However, it is arguably more important to establish strong security processes (for example, around data handling or risk man- agement), ideally based on a clear under- standing of the security threats that business is facing. This leads to the effective appli- cation of security systems, and ensures no future changes introduce weaknesses. Building a secure business To embed these processes, efforts need to be made to establish a security culture, devel- oped through procedural and behavioural training. Only by building this culture and these processes into the heart of the organi- sation can companies avoid complacency about the threats faced by the industry. This relentless focus needs to be articulated and developed by the board and senior leaders. It is these executives who would have to deal with any rapid response to a data breach. The government is placing a high priority on encouraging good practice in this area. It has developed programmes such as Get- SafeOnline and CyberEssentials, which can provide companies with a security baseline and a useful stepping stone to rigorous secu- rity standards and procedures. GCHQ has also developed a checklist of ten key security areas, which would provide a useful starting point for any businesses that want to stay ahead of the game. For a more mature secu- rity framework, organisations should look to internationally recognised standards such as ISO27001, NIST or SOC2. Technology is evolving and the capa- bilities of hackers are evolving along with it, oen at a great pace. While significant steps have been taken to keep our energy networks secure, energy companies need to avoid complacency and invest in their security. This will enable them to protect their reputa- tion and give their customers peace of mind. Dean Kelshall, senior manager and Ellen Fraser, partner, at Baringa Are we safe in your hands? Cyber attacks are growing every more sophisticated – and the consequences of letting one succeed ever more serious. Dean Kelshall and Ellen Fraser urge continuous vigilance. Talk Talk hack On 21 October the website of telecoms provider Talk Talk was hacked and a then unknown quantity of data accessed or stolen, prompting its share price to plummet by a third over the following week. In the event: 157,000 customer details were accessed. 15,600 bank account details were stolen. £35m will be the cost to Talk Talk. Four people have so far been arrested and questioned in connection with the cyber attack: a man of 20 and three teenagers.