Issue link: https://fhpublishing.uberflip.com/i/871337
NETWORK / 20 / SEPTEMBER 2017 Q: The last year has seen three major cyber-attacks on electricity generators in the Ukraine, causing power outages on two occasions. How severe is the threat to the energy sector? Barbara Vest: We are aware of reports of malicious cyber activity within the energy sector around the globe. This is a continuing threat to all industries as seen with the recent UK attack on the NHS with the WannaCry ransomware. Industrial control systems (ICS) and operational technology (OT) networks pose a real target for hackers. It is therefore important for the energy industry to remain focused on mitigating these attacks using a variety of control measures. For the Ukraine cyber- attacks, the strongest capability of the hackers was their capacity to perform long-term reconnaissance operations, which required in-depth Securing our power knowledge of the system's environment and the ability to execute a highly synchronised, multisite attack – remotely. The initial act of infiltrating a system may have come from an email phishing attack, which can go undetected for weeks at a time. Dedicated legislation, regulation and overall monitoring organisations have been created to manage such threats – the National Cyber Security Centre, the NIS (Network Information and Systems) – and the UK energy industry is committed to mitigating this threat to the sector. Q: Has this danger become more pronounced over the last year? BV: The danger from hackers has always been at the forefront of people's minds. The pronounced volume of email phishing attacks has made it even more important for generators and networks to consider the safeguards and Networks must be more vigilant than ever to guard against cyber- attacks. Barbara Vest, director of generation, Energy UK, explains how to remain protected Cyber SeCurit y systems required to keep any virus or malware from hitting their control systems. Q: The second attack on the Ukraine targeted SCADA systems at electricity company Ukrenergo. What practical steps should energy firms take to ensure IT and other systems are protected against cyber- attacks? BV: Companies in the energy sector should have a good understanding of all interconnectivity between IT and OT systems. Asset registers and system topologies will help identify what vulnerabilities or attack planes could present themselves – and a business risk assessment and mitigation plan should be put into place accordingly. The industry is preparing for the introduction of the NIS Directive that comes into effect in May 2018, which looks to ensure an overall improvement in cyber security in the UK. A Cyber Assessment Framework is being released in early 2018 to help determine the extent to which the requirements in the directive are being met. In addition, the CiSP reporting platform helps industry keep on top of any threats or incidents, and provides recommendations on how to proceed. Q: Are there any notable examples in the UK of the energy sector being attacked by cyber criminals or hackers? BV: Cyber-attacks into the power generation industry are mostly prevented by corporate IT systems and firewalls that are designed to keep the OT and ICS systems safe from attack. Training and awareness of staff is crucially important to prevent emails and attachments being opened on networks in the first instance. Large scale attempts have been made but they were unsuccessful, such as when hackers targeted the Irish energy network in the summer. Britain's energy companies are also thought to have been hacked on the day of the General Election, by hackers believed to have been backed by Russia. This did not cause any disruption. We encourage energy companies to sign up to the Cyber Security Information Sharing Partnership (CiSP). The National Cyber Security Centre also creates weekly threat reports which we encourage energy companies to read: https://www.ncsc.gov.uk/index/ report Q: Why does cyber security represent myriad challenges for the energy industry? BV: The energy industry is challenged to ensure the highest level of safety for our workforce, power generating assets, networks, and security of supply. We as an industry of essential services are challenged to ensure a culture of security awareness grows both internally in energy companies, but also in manufacturing businesses, government and the wider public. We need to ensure that as the energy market grows, products and services are secure for generators and consumers. These challenges are being addressed, especially from guidance produced by the National Cyber Security Centre, BEIS and DCMS on improving the levels of cyber security in the UK.