Issue link: https://fhpublishing.uberflip.com/i/690456
NETWORK / 11 / JUNE 2016 At the start of this year, National Grid Electricity Transmission launched two projects through the network in- novation allowance to explore differ- ent elements of cybersecurity. Both are expected to span four years, and both have a budget of £179,000. Embedded cyber risks in the procurement process u National Grid is increasingly buying intelligent assets that are critical to effectively operate the electricity and gas system, but a lack of awareness of security issues during purchasing, up- grading and deployment of these IT and OT assets leaves it at risk. u The project will define a frame- work to reduce cyber risk by ana- lysing, quantifying and modelling the current cyberthreat across the supply chain. Improving cybersecurity culture in operational areas u The security culture in an organi- sation may be strongly influenced by unjustified beliefs about what the objectives of the security policy are, and what measures are effective in delivering those objectives. To be able to improve the culture, it must first be ana- lysed and understood. u The project will define a risk- mitigation strategy to protect Na- tional Grid at operational level by reviewing the current culture and proposing key areas of concern and mitigation solutions. These solutions will then be tested in a pilot project. S e c u r i t y c u lt u r e Cybersecurity is starting to be addressed through innovation manage third parties and the supply chain, and security incident response. The benefits of using a framework are that it gives organisations access to the experience and best practice of others and ensures nothing important is overlooked. It also provides the basis for assessing where they are now and where they want to be, so they can design a clear programme that reflects their own starting position. It also allows them to deal with the full range of vulnerabilities in a coherent way. The Ukrainian attack, had it been envisaged in advance, would probably have been dismissed as so unlikely to happen it could be ignored. Yet, disregarding high-impact but low-probability scenarios is dangerously complacent, underling the need for a comprehensive approach. Action is needed now It is clear that a good OT security programme can help prevent, detect and recover from an attack. If the Ukrainian power grid had better security awareness and training it may have blocked the phishing attack that enabled BlackEnergy to be installed on the corporate network. Good security monitoring should have detected BlackEnergy in the network: it is not a new piece of so-ware. Equally, better segregation of the corporate and OT networks might have stopped the attackers gaining access to the OT systems. Monitoring within the OT may have detected the unauthorised access and the system could have been isolated, preventing the attackers shutting down the substations and loading new firmware on to the protocol converters that disabled remote access for the operators. The impact of the Ukraine attack was reduced because the power companies were able to restore supply to their customers quickly, but only because they had the ability and manpower to operate the power system manually. However, it is believed they were unable to recover the OT systems quickly and have had to run with manual control for months a-er the attack. What happened in Ukraine should serve as a reminder that many organisations are vulnerable to cyber-attacks. However, there are effective frameworks available that can reduce that vulnerability and that enable an organisation's OT to be defended to more effectively. What is essential is a clear recognition of the risk, and support from senior leaders to put the right structures and support in place – and to do so now. Andrew Wadsworth, managing consultant, global energy and utilities, PA Consulting Group SyStEm BrEaCh: OthEr nOtaBlE attaCkS talktalk: 21 October 2015 u 157,000 sets of personal details accessed. u 15,600 bank details and sort codes stolen. u Four people arrested. u 28,000 stolen credit and debit cards obscured and cannot be used for financial transactions. u lost 101,000 customers and suffered costs of £60 million as a result. British Gas: 29 October 2015 u 2,200 customers had their email addresses and passwords posted online. u British Gas does not think its own systems were breached. u The affected accounts have been disabled since the discovery. rWE's Gundremmingen nuclear plant: 27 april 2016 u Viruses were found on office computers, 18 USB sticks and in a system used to model the movement of nuclear fuel rods. u RWE said the infection posed no threat to the plant because its control systems were not linked to the internet, so the viruses could not activate. u Staff found the viruses as they prepared to upgrade the computerised control systems for the plant's Block B, which was offline undergoing maintenance. u Among the viruses were two well-known malicious programs – W32.Ramnit and Conficker. the malware behind the Ukrainian attack was BlackEnergy3. BlackEnergy was first reported in 2007 as a relatively simple form of malware that generated random bots to support Distributed Denial of Service (DDoS) attacks. It reappeared as BlackEnergy 2 in 2010 with some significant capabilities that extended beyond DDoS – including a new plug-in architecture that let it subvert system resources, steal data, and monitor network traffic. It was at this time that many began to associate BlackEnergy with crimeware. BlackEnergy3 is the likely product of multiple teams working together, as a by-product of a nation-sponsored campaign. DID YOU KNOW