Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/686319
The Topic: Infrastructure security UTILITY WEEK | 3RD - 9TH JUNE 2016 | 13 1. Be aware The first step starts with awareness and not being complacent about the problem. Don't think small size can exempt you from a breach, because targeting smaller businesses gives hackers access to larger companies. Don't leave yourself open and do not assume you are safe. 2. Know your enemy Security threats come from a range of sources, with most data breaches caused by bad business practice. Poor physical security, lost memory sticks, non-password- protected devices, unencrypted laptops and loose talk can contribute to breaches. 3. Look inwards All businesses, regardless of size, must consider the risks to information and under- stand what they are trying to protect. 4. Get an information security management system (ISMS) An ISMS (such as ISO 27001) provides a framework to help identify and manage information security risks in a cost-effective way, putting appropriate controls in place to help reduce the risks posed by security threats and help prevent weaknesses in systems from being exploited. 5. Get personal Encouraging staff to make their personal information security a natural part of their routines can help businesses to secure cor- porate information. Training and awareness activities alert staff to the importance of tak- ing as much care with business information as they would their personal information. 6. Look outward Many businesses share sensitive information across and between organisations. If infor- mation is shared with a supplier, then the supplier has a duty of care to make sure the handling of that information is secure. 7. Cloud security By requiring that providers of your cloud services are ISO 27001 certified and operat- ing in compliance with the Cloud Security Alliance Star certification requirements, businesses can reassure themselves that their cloud service provider has the appro- priate security measures in place to protect customer data. Toni Allen, UK head of client propositions, BSI Comment: Seven steps that can help reduce your vulnerability to hacking attacks "[Terrorists] have not been able to use it to kill people yet by attacking our infrastructure through cyberattack. They do not yet have that capability. But we know they want it, and are doing their best to build it." • Chancellor George Osborne warning in November that National Grid is under threat from a cyberattack by terrorist group Isis. KNOW YOUR ENEMY So who is attack- ing you? Put simply, cybercriminals, but their motives can vary. These include not only making money illegally, but cyber espionage, cyber- sabotage and social/ political protest. For example, security expert Matt Jakubowski, was able to extract the Wi-Fi network name, internal Mac address, account IDs and MP4 files from Mattel's interactive "Hello Barbie" doll. This was enough to gain access to the Hello Barbie account and home network, thereby compromising the wider security of any family using the doll. Also, by hacking into a home's smart meter, a cybercrimi- nal has the potential to skew the reading, which could result in monetary gain for them and a loss for the homeowner. David Emm, principal security researcher, Kaspersky Lab TalkTalk: 21 October 2015 • 157,000 personal details accessed • 15,600 bank details and sort codes stolen • four people arrested • 28,000 stolen credit and debit cards obscured and cannot be used for financial transactions • lost 101,000 customers and suffered costs of £60 million as a result M&S: 28 October 2015 • website glitch allowed customers to see each other's details • suspended site for two hours • internal error • personal data and previous orders were visible to other customers, no full credit card details British Gas: 29 October 2015 • 2,200 customers were contacted and warned that their email addresses and account passwords had been posted online • the company said its own systems were not breached • the affected accounts were disabled following the discovery Ukraine: 23 December 2015 • 225,000 people left without power for several hours • power to 17 substations cut • the groundwork for the attacks started six months earlier with emails to Ukraine's power utility that contained Microsoft Word documents which, when opened, installed malware • the malware – BlackEnergy 3 – allowed the hackers to gather login details, which allowed them to remotely access vital controls and ultimately, shut off the power • they also jammed company phone lines, making it hard for engi- neers to determine the extent of the blackout RWE's Gundremmingen nuclear power plant: 27 April 2016 • viruses were found on office computers, 18 USB sticks and in a system used to model the movement of nuclear fuel rods • RWE said the infection posed no threat to the plant because its control systems were not linked to the internet, so the viruses could not activate • staff found the viruses as they prepared to upgrade the comput- erised control systems for the plant's Block B, which was offline undergoing scheduled maintenance • among the viruses were two well-known malicious programs: W32.Ramnit and Conficker CYBERATTACKS AND DATA LEAKS: MAJOR INCIDENTS