Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/686319
The Topic: Infrastructure security UTILITY WEEK | 3RD - 9TH JUNE 2016 | 17 Rather than dealing with the fallout if and when a cyberattack or a data breach occurs, utilities are now much more proactive. However, Paul Jenkinson, IT security and technical architecture manager at UK Power Networks, warns that more should – and always can – be done. This work is part of an ongoing good versus evil battle, but can start with straightforward things. Kaspersky Lab says these should include: • Making sure all devices are up to date with the latest security and firmware updates. • Ensuring all default passwords and user names are changed. • Using encryption. • Setting up "private" Wi-Fi networks. More work is also being done to update the key systems that busi- nesses, including the utilities, are using. Bacs, the organisation behind direct debit and Bacs direct credit in the UK, tells Utility Week the previous level of security protection for most sites, SHA-1 SSL – which was introduced in 1996 – is now clas- sified as vulnerable to cyberattack. As a result, new and improved levels of security for secure pay- ment websites – SHA-256 SSL – are being introduced from 13 June. It is being adopted by the likes of Microsoft and Google, among many others before the global switch-off of the old system next year. Utilities will have to ensure they comply with the new system or risk "finding themselves locked out" of secure payment websites – essential if there they offer their customers online payment systems. Bacs also says that older operating systems – in particular Windows 200, XP and Vista – are most at risk from hackers and viruses, so encourages companies to be running the most up to date software possible. On top of this, Jenkinson adds that there must be board-level buy- in to the importance and significance of cybersecurity, and that they must give their backing to it to help ensure their systems are safe. IMPROVING SECURITY NEXT TOPIC: NON-TRADITIONAL BUSINESS MODELS As the utilities sector develops, new ways of doing business and structuring organisations are emerging. From community-owned energy companies, to not-for- profit organisations, through to new partnerships and joint ventures, the increasing drive towards competition is creating new opportunities. This goes beyond business structures to the systems used, with start-ups and smaller com- panies adopting new practices, rather than being lumbered with legacy systems, as incumbents have been. The next Topic will take an in-depth look at the growth and development of non-traditional business models. "Traditional crime has recognised the power of cyber. And the criminals are becoming more professional and more creative." • Eugene Kaspersky, founder and CEO, Kaspersky Lab A s technology continually devel- ops and the power and ability of connected devices grows, utility companies are looking more and more at adopting them as tools to help them deliver the essential services they provide. However, electricity, gas and water companies – especially networks – are wary about where this technology gets integrated into their systems. Customer-facing systems are said to be "prime areas" for connected devices and cloud technology to be used. There is an inverted pyramid of connectedness, and the utilities' willingness to tap into the internet of things. Customer services are in the top section and are already being adopted. In the middle are "hybrid arrangements" – where some cloud and connected devices are used – but not in areas that can have a significant impact if things went wrong – and a "base level" of control can always be ensured. Utilities' systems are "locked down" where they have an influence on the operation of critical infrastructure. Here, as was the case in the RWE Gundremmingen nuclear power plant, there is no cloud or internet connection, and the control is kept in-house and "on-property" by the utilities. This ensures that control for the critical infrastructure is always maintained and can- not be lost to hackers or viruses. The rationale is that if things went wrong and hackers were able to gain control, the results could be catastrophic. This is not a risk worth taking – so the systems are kept in-house and on-site. SOME USEFUL DEFINITIONS Phishing is an attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Malware is an overarching term used to refer to a variety of forms of hostile or intrusive software. It includes computer viruses, worms, trojan horses, ransomware, spyware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware opera- tors to remove the restriction. Let's get critical Which systems are so critical to a utility's business that you dare not expose them to the internet? Full cloud adoption Hybrid cloud arrangement Secure lockdown – no cloud use