Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/901108
UTILITY WEEK | 17TH - 23RD NOVEMBER 2017 | 19 Operations & Assets risks for utility companies. And yet not all companies are as up to speed with this new reality as others. Edgard Capdevielle, chief executive of cyber security firm Nozomi Networks, says that while "significant strides forward have been made", more could be done to neutral- ise the threat. "If utilities invested in cyber security in the same way they invest in storm prepara- tion, their ability to manage the risk would be significantly improved," he says. Rajab of Tech UK agrees that the energy sector is one of those that must be most vigi- lant when it comes to the cyber crime threat, but he says the bigger players especially have started putting robust systems in place to protect themselves. He also sees a danger in scaremongering over cyber crime, however genuine the risk. "Part of our role is to do some myth bust- ing," he says. "There is a tendency to look at worst-case scenarios and to use fear and uncertainty to generate business." When it comes to smart metering in par- ticular, Rajab is also concerned that talking up the threat level could inhibit uptake, just as the UK-wide rollout of the technology ramps up. "We want people to use new tech- nologies," he continues. "We're not here to say these devices are inherently dangerous." Despite this, he concedes that the prolif- eration of connected devices "opens up more avenues for hackers", and means that energy companies themselves have to up their game when it comes to vigilance. To this end, Energy UK has set up a cyber security working group which shares new developments and best practice guidelines. Furthermore, the national Cyber Security Information Sharing Partnership has a team dedicated to the energy sector. But Rajab sees a difference in how differ- ent companies approach the problems that come with cyber security, and oen those difference comes down to size and resources. "Without wanting to pick on smaller pro- viders, I think that's where the onus is," he says. "I think some of the larger providers have probably been putting these processes and practices in place for years, just because they do. But maybe some of the smaller pro- viders are struggling. "There's a lot to contend with and, for some, maybe security isn't at the forefront of what they do. There is a rush to adopt new technologies, but have they got security built in? That remains to be seen." It is a view echoed by Noam Green, head of product management for security plat- forms at cyber security soware company Check Point. "There's a fine line between A brief history of cyber attacks October 2015 – TalkTalk For six days in October 2015, hackers were able to access the personal data of more than 150,000 customers of telecoms company TalkTalk. Taking advantage of technical weak- nesses in the company's systems, the attack- ers could unearth names, addresses, phone numbers and emails. In more than 15,000 instances, customers' bank account details were also accessed. TalkTalk received a then UK record fine of £400,000 in October 2016, with informa- tion commissioner Elizabeth Denham saying it "should have done more to safeguard customer information". She added: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to pen- etrate TalkTalk's system with ease." A group of hackers was subequently arrested for the attack, including a 17-year-old boy who pleaded guilty to the charges and told the court he was "just trying to impress my mates". December 2015 – Ukraine power grid attack Amid Russia's ongoing military intervention in Ukraine, which began in 2014, cyber warfare became a new form of conflict. The sophisticated attack on the Ukrainian power grid is thought to be the first of its kind anywhere in the world, temporarily disrupting electricity supply to around 230,000 people, primarily customers of Prykarpattyaoblenergo, but also of two other local distributors. Although no one has claimed responsi- bility, the power grid shutdown is the most famous of a wave of similar cyber attacks on Ukraine, with many experts, including the US government, pointing to groups with links to Russia's secret service, including the notori- ous "Sandworm" hackers. May 2017 – WannaCry Perhaps the best known of all cyber attacks to date, the WannaCry ransomware attack was a worldwide assault targeting computers run- ning Microso Windows in over 150 countries. In the UK, the attack infected the NHS, causing it to curtail some services and cancel operations. According to the National Audit Office (NAO), a third of NHS trusts were disrupted. A highly critical NAO report into the inci- dent later said the NHS had been le vulner- able because cyber security recommendations had not been followed. It added that NHS trusts had failed to act on warning from NHS Digital and the Depart- ment of Health to patch or migrate away more vulnerable older soware. The malware worked by encrypting data on infected machines and demanding a ransom in bitcoins equivalent to £230. The finger has been pointed at North Korea as being behind the attack, a charge the secre- tive state denies. June 2017 – UK general election In July, GCHQ revealed that British energy com- panies had bee the subject of cyber security breaches on the day of the UK general election, a month earlier. A report from the British secret service said that "state-sponsored hostile threat actors" were responsible for the attack, with reports again fingering Russia as the culprit. The attack is believed to have targeted engineers in power plants and distribution networks, but no significant disruption was reported. The incident came aer a wave of warnings that an attack targeting election day was "highly likely". In association with: what steps companies are willing to take on security measures and the risk they believe they are facing," he explains, adding that sometimes two parts of the same organisa- tion can have very different views on how much time and investment should go into protecting against what can oen seem hypothetical threats. "The OT [operational technology] peo- ple in water companies, for example, are in charge of making sure you get water out of the tap; they are more worried about that than about cyber attacks. The IT peo- ple in the same companies are very worried about the consequences, so there's oen a fight between the IT and the OT in the same company." And that reluctance to invest in cyber security seems to extend to other parts of the industry as well, according to some. "If you take the DNO [distribution net- work operator] market, they are seen as a pure cost anyway," says Fujitsu's Wright. "If continued on next page Power grid targeted in Ukraine conflict