Issue link: https://fhpublishing.uberflip.com/i/912901
NETWORK / 19 / DECEMBER 2017 / JANUARY 2018 Security is key Scottish and Southern Electricity (SSE) networks director of business assurance Bev Keogh says cyber security is now at the heart of the firm's work. "As the owner and operator of part of the UK's critical national infrastructure, cyber security isn't just an additional responsibility or a bolt-on," she says. SSE has invested in a long-term security programme, and is incorporating security into the design of its systems as well as conducting regular IT testing. "We have also looked to educate our teams about good cyber security behaviours and have a compulsory security awareness and e-learning programme," says Keogh. "As well as ensuring security of systems, we work in close collaboration with government and wider industry to share knowledge and help understand the increasing sophistication and prevalence of threats worldwide. It's an issue we take very seriously." Pritchard says getting a grip of the scale and nature of potential threats is tricky as there is so much secrecy applied to cyber security. "A big problem is that details are hard to come by in the public domain," he says. "In the Ukraine there were two power cuts caused by people hacking into controlled networks, the impact was relatively shortlived and limited but they demonstrated it was possible and needs to be taken seriously. "There is a possibility of someone trying to disrupt power supplies but a low probability of it succeeding in the UK. The attacks in Ukraine have served as a wake- up call and also the UK has been taking this seriously since the 90s." Pritchard, who has worked with the government and power firms in his 15 years working in this field, says a key step is separating corporate and power networks. "Power firms need to make sure critical networks are segregated from corporate networks either completely or using well locked down gateways and access points," he says. "They need to put extra protections on the critical networks so if someone makes a mistake on the corporate networks it doesn't impact the power distribution network." He says creating a tight IT system is the basic groundwork to protecting your power supply. "If it's not a well-managed IT network it is hard to secure." Pritchard adds that although much of the focus has been on protecting power supplies, by keeping networks locked "Power firms need to make sure critical networks are segregated from corporate networks." Emergency Executive Committee task groups and ENA's Cyber Security Working Group, network companies have established ways of identifying, assessing and responding to long-term cyber-security threats in a cross-industry, strategic fashion," says Gill. "This work includes undertaking regular industry standard benchmarking, the developing of common standards for specific areas of infrastructure and ensuring that those people working for network companies and their supporting supply chain understand the role they play in managing threats." down, a change in legislation next year could make security of the data itself very important. The General Data Protection Regulation (GDPR) will apply from 25 May 2018. Fines for breaching the strict new laws could be as high as €20m (about £18m). Advice Keeping abreast of developments in cyber security requires experts who stay up-to- date, says Pritchard. "It is hard to keep up with it – the threats change, new technologies come along. The defence strategies don't change that much but you need to refresh your knowledge." He says there are no "magic bullets" to protect against cyber threats, but outlines a series of solid steps to take. "Critical networks should be segregated entirely, or at least have high controlled and limit access. Corporate networks should be subject to good IT management. "Firms should implement security monitoring in some form, and be providing awareness training to staff. In terms of standards compliance there are plenty to choose from – ISO 27001 is widespread, and Cyber Essentials is becoming popular in the UK." Although protecting against an attack should be the priority, there also needs to be consideration of what to do if things do go wrong. "There is no excuse for a power company not to have planned for the worst, and they should be operating on the assumption that a successful attack is inevitable," says Pritchard. "The incident management process should allow for rapid analysis of any incident, and have the processes in place to isolate and recover quickly." Perhaps we shouldn't be surprised that there is much to do. Martin said in his speech that getting to grips with cyber security was the next challenge of the digital age. "My point is before we get onto things like robots reading books on trains, we need to understand stuff like this. We need to think about attacks that do damage to individual corporations and people's confidence in the digital economy." References: 1. https://tinyurl.com/zfkzoua 2. https://tinyurl.com/ya5onol4 3. https://tinyurl.com/yb9wxkl2