Utility Week

20 | 17TH - 23RD NOVEMBER 2017 | UTILITY WEEK Operations & Assets Insight report someone [at a DNO] says they have to spend £10 million on security, under the RIIO framework even the regulator will ask why they're doing it. "It means you have to have a cast iron jus- tification for this, and that's about balancing the risk that's in the framework, just as they would for risks they carry on any other asset they manage." Again, just as Energy UK is taking steps to bring thinking on cyber security up to speed quickly among providers, the Energy Net- works Association (ENA) is doing the same for networks. "As smarter energy networks continue to develop, network companies are regularly reviewing their cyber security poli- cies to ensure that the right measures are in place to counter any potential threat," says a spokesperson for ENA. "Energy networks have a long-established cyber security group that works with other industry bodies to identify and mitigate evolving risks. Through this forum network companies develop their approach and com- municate with government, Ofgem and other key stakeholders." There are still problem areas for utilities when it comes to cyber security. The use of third parties along the supply chain when it comes to work in the field, such as updating telemetry, poses risks, even for a company with robust procedures in place. Then there is the question of how to upgrade systems that need security bolstered without risking temporary loss of service. "It would be brilliant if you could just start from scratch," explains Rajab when asked about the best way to update systems. "But taking a system offline to upgrade it means a loss of service and inability to use that system while you're doing that." The water sector When it comes to the water sector, the latest PR19 regulatory framework sets out a focus on "resilience in the round" for water com- panies, but is this being followed up when it comes to cyber security? "They've probably not invested as much [in security] as the energy companies and maybe that's because the perceived risk isn't quite so high," says Fiona Griffith, group director at Isle Utilities, which acts as a con- sultant to water companies in particular. "But a lot of these things are under the radar until something goes wrong – and once things go wrong it becomes a big problem." Nick Needham, IT security manager at Severn Trent, accepts that the water industry lags behind energy when it comes to taking the cyber crime threat seriously. "In electric- ity… Ukraine focused attention, and there's been encouragement from the government to get this right," he says. "It would be great if Ofwat did look favourably on companies that try to do the right thing." Needham insists, however, that the board at Severn Trent is "very cognizant of the risks posed" by cyber crime. He says that the biggest risk, at least in terms of potential consequences, is the potential for unauthorised access to treat- ment and distribution processes. He assesses the risk as "relatively low" as the operational systems – such as SCADA – are fairly old. "As we look at more efficient ways to work in those areas, we look at ways to open up access to those systems," he says. "That's good from an operational perspective but a risk from a security perspective." That balance between the necessity for more open systems and the risks that come with them has to be struck by all utility com- panies. "This is critical national infrastruc- ture," says Fujitsu's Wright. "If you attack the water or electricity supply you affect a huge number of people. Even if you attack one water company you can affect millions of people." Noam Green of Check Point is equally stark in his assessment: "It's frightening how easy it is to shut down a country. Many envi- ronments out there today are already open to attacks of this sort, so it's just a click away. Should we be worried? Very much so." continued from previous page New European regula- tion means data breach fines are set to soar New European legislation is set to hike the potential fines companies face for breaches of data law. Under the current regime, the maximum fine for a data breach is £500,000. However, under new the General Data Protection Regulation (GDPR) – due to come in next year – this will rise to 4 per cent of a business's global turnover. The new rules will apply to all businesses that hold and process data collected in the European Union, regardless of their location. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. The new laws have already begun to change the way utility companies treat data. Nick Needham, IT security manager at Severn Trent said: "GDPR has definitely changed our behaviour…We take our responsibility to man- age our customers' data as absolutely critical and GDPR has just brought that to the fore." "That Ukrainian incident was a serious wake-up call for the sector." Talal Rajab, head of programmes, cyber and national security, Tech UK "If utilities invested in cyber security in the same way they invest in storm preparation, their ability to manage the risk would be significantly improved." Edgard Capdevielle, chief executive, Nozomi Networks "But a lot of these things are under the radar until something goes wrong – and once things go wrong it becomes a big problem." Fiona Griffith, group director, Isle Utilities "If [the system] gets hacked and someone sends constraint notices to all the turbines, you suddenly have a brown out situation." Jamie Wilkie, Fujitsu cyber security consulting portfolio In association with:

• Cover