Issue link: https://fhpublishing.uberflip.com/i/690456
NETWORK / 9 / JUNE 2016 SECURIT Y STRATEGY Rob Hayes and Jonathan Lam of PA Consulting reveal the rise of smart grids means networks are at a critical security juncture. has also invested heavily in its data centres in order to strengthen its defences. National Grid Gas Transmission is forecast to overspend the totex allowance for its system operator role by £177.5 million by 2021 because of increased spending in this area. It was awarded over £35 million to upgrade existing data centres, but decided that new ones would be more resilient. It is currently consulting with the Department of Energy and Climate Change (Decc) to determine the kind of cybersecurity that will be necessary for these centres. Crippled by fear Faced with such dire consequences from a cyber attack, it would be easy for energy networks to simply batten down the hatches. But a lockdown on data sharing with innovative SMEs and other networks would be damaging to innovation and the evolution of smart, sustainable grids, which we sorely need to accelerate. Jenkinson is conŠ dent that gas and power networks will not become paralysed by fear. But Casey Cole, managing director of smart heat metering company Guru Systems, is less optimistic. Lack of expertise and a common view that data sharing may give away potential commercial advantage, as well as exposing a company to potential legal and security challenges, have led to a protectionist data culture in the young UK heat sector, he says. Such concerns are unsurprising. Firms face a £500,000 Š ne under the Data Protection Act if data is mishandled, but Cole insists data sharing is the only way the heat sector will mature (more on p24). Adopting common standards like ISO• 27001 and Cyber Essentials can help companies overcome cyber paranoia, but standards are not always helpful. Network operators have been bombarded over the past few years with a plethora of new security standards covering the smart grid, such as EU Smart Grid Information Security and NIST IR 7628. To help provide a deŠ nitive source, PA Consulting has worked with the Energy Networks Association to provide utility organisations with clear direction about what the standards are and where to Š nd them. The ENA will publish its report next month. If networks feel underprepared for the challenges they face, they can take comfort from the fact that others who should feel like an iron fortress are in the same boat. Even General Alexander did not manage to keep all the attackers out. All he could do was limit the damage once a criminal was in, learn from it, and try and make his system slightly more di™ cult to breach next time. A December power outage in the Ukraine that affected 225,000 customers was the result of a Russian hacking group known as Sandworm. It is understood to be the fi rst time a cyber attack was able to take a power grid offl ine. In the UK, network operators treat network resilience as a top priority. Companies are constantly mindful of cybersecurity and measures are in place to counter any potential threat now and in the future. Increasing use of communications technology and data in the development of smart grids will deliver signifi cant benefi ts, but will also require security systems to adapt. Utilities are at a critical juncture because although the smart grid is not a new idea, the industry has now started to implement these technologies in their businesses-as- usual operations. Also, a plethora of new cybersecurity standards covering the smart grid – EU Smart Grid Information Security and NIST IR 7628 – have appeared over the past two or three years. Unfortunately, there is no single defi nitive source that industry participants can use to address their cybersecurity needs. In response, PA Consulting Group partnered with the Energy Networks Association (ENA) to provide utility organisations with clear direction as they navigate the ever-changing landscape of cybersecurity standards for the electricity and smart grid sectors. There is an abundance of guidance in the public domain for utilities to follow – particularly with regard to their IT and operational technology systems – and it can be challenging to determine which ones to follow and which ones to leave by the wayside. Often, this information is overlooked altogether because organisations simply do not know it exists or even where to look for it. Governance is another critical component in a utility's successful security strategy because it helps facilitate interoperability among operating units. Without strong governance with clearly defi ned roles and responsibilities, an organisation may implement practices and procedures inconsistently, leaving systems insecure and potentially leading to a cybersecurity incident. Governance requires the adoption of standards and guidance to address the cyber insecurities of an organisation, especially as they move in to the implementation phase. PA believes it is benefi cial for organisations to establish a suitable framework to govern and shape their cybersecurity programmes and point to relevant standards and guidance. The CPNI Security for Industrial Control Systems (SICS) framework is an example of one that provides a holistic approach to the security of operational technology. A framework enables organisations to manage the key areas common to any cybersecurity programme and is fl exible enough to incorporate sector and organisation- specifi c content. It also ensures that security is appropriate to business risk, identifi es gaps in existing standards, and drives innovation in the industry to address shared issues without reinventing the wheel. It is important for an organisation to adopt a framework that suits its business to manage the implementation at a high level. However, organisations have natural biases, and thus, external development will allow for current assumptions to be challenged – the key to success. Fundamentally, a cybersecurity programme that is created through capturing the best advice in the market will ultimately position an organisation to have a favourable outcome.