Cyber Security in Energy & Utilities
By Shirley O’Sullivan
Energy and Utilities providers are in a unique position. Our services; gas, electricity and water, are essential to the basic functioning of society. Criminal gangs and nation states see this sector as a prized target; suspending a service such as electricity, even for a few hours, would cripple society.
The sector is also in the vanguard of a digital revolution. Energy companies are under pressure from the Government to install smart meters and need to use technology to run their operations more efficiently. The rapid take-up of new devices, and integrating them with existing systems, is creating more opportunities for cyber-crime.
Why Is Cyber Security Such A Key Issue For Energy and Utilities?
In his work, A Theory of Human Motivation, Maslow introduced the Hierarchy of Needs. Physiological needs are the most basic, such as warmth, food and drink. By providing heating, light and water, the energy sector and utility companies satisfy our country’s basic needs. They are critical. For this reason, organised crime and foreign state actors see services as a target. Denying services, or threatening to, makes them perfect for ransom-ware or sabotage attacks. Similarly, nation states see the denial or disruption of services as a political weapon; impacting the will and morale of their enemies. They may even carry out cyber-crime to demonstrate their power on the world stage.
Energy firms are increasingly partnered with other companies in a supply chain. Electricity has generators and transmitters. Oil and gas have producers and distributors. Everyone has partnerships for the supply of materials, technology and transport. Each partner in the supply chain increases the attack surface, and the overall security of the service is only as good as the weakest link.
The sector is at the forefront of the digital revolution. Energy suppliers are responsible for installing smart meters for all their domestic customers by the end of 2020. They need to use technology to improve their competitive efficiency with smart grids, IoT sensors and smart tablets. Technology further increases the attack surface, notably by adding low cost / low security devices. State of the art devices must be integrated with Cloud storage, but also with legacy hardware and software.
What Are The Problems?
The highest risks are operational. Criminal activity involving gas, for example, can be catastrophic to property and human life. All services have operational risks that would be damaging to the environment.
European companies also must conform to a number of regulations:
- The Network and Information Security Directive (NISD) is aimed squarely at the providers of “essential services” and requires firms to notify authorities of a significant incident. They must demonstrate that they have assessed security risks, taken “appropriate and proportionate“ measures to prevent them and established response strategies.
- The UK’s NCSC has published guidance relating to security risks – managing, defending against, detecting and minimising the impact of cyber security incidents.
- GDPR – all businesses, not just the energy and utilities sector, have had to look closely at their processes around data protection.
As with GDPR, NISD Non-conformance is punishable by large fines. The situation is further complicated as there is an onus on European member states to publish their own guidelines (such as NCSC). Companies with cross-border operations will have to comply with multiple national regulations.
The most common weakness for cyber-crime in any sector is people. Hacking is increasingly sophisticated. Many cautious people have been duped by phishing emails or have opened a malicious attachment. Sales staff, or anyone travelling on behalf of the company, are a target via public Wi-Fi or simple theft of corporate devices such as laptops, tablets and smartphones.
What Can The Energy Sector and Utilities Do?
An executive stakeholder needs to develop and drive through the security strategy. This person will be highly technical, able to understand the technology implications, but also an excellent communicator. They will be able to explain security risks and mitigation to non-technical executives.
Artificial Intelligence (AI) is increasingly being used in the front-line against cyber threats. AI can learn the normal patterns of behaviour across the company’s systems. It can then detect changes to the patterns, or strange behaviour. Finally, AI can act to mitigate the risk in a discrete area of the system. This is especially valuable when there huge numbers of IoT devices. Each of these connects to the network and, possibly, cloud storage. A sudden increase in network activity might signify the device is malfunctioning, or under a hacker’s control.
Staff training is essential; everyone needs to understand the company’s approach to security and where they fit in. Training in password management and email precautions is relevant at all levels. Staff working outside the office – travelling or home working – need to take extra precautions.
It may be a bitter pill, but following industry leaders’ security strategies could bring benefits. Informal networking at conferences, or formal peer groups, can help to spread good practice.
Will The Lights Go Out?
Firms in the sector are aware of the likelihood and risks of a cyber-attack; security is a topic on every board’s agenda. Staying ahead of the increasing complexity of threats means everyone must play their part, from the board through to operators.
By continually refreshing and architecting in mitigations to a well-designed risk management strategy, it should be possible to mitigate the risks of cyber threats and ensure that, as a nation, we continue to enjoy these essential services.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.