Cyber-attacks across all businesses within the UK are on the rise, with an estimated 2.39 million incidents taking place in 2023 alone.
The utility sector is not immune from this, with reports this year warning water suppliers of an elevated risk of attack and threat actors targeting the infrastructure and operation systems that could directly affect water supply.
The utility sector is currently implementing and adopting digital transformation strategies to improve operational efficiencies and the customer experience. However, within this climate of elevated cybersecurity risk, we face a perfect storm that the industry seems ill-equipped to deal with.
Only last year, Leonhard Birnbaum, chief executive of Eon, told the Financial Times that companies like his would be unprepared if they faced a cyber-attack.
The warning also follows the recent attack on Southern Water, which saw data from up to 10% of their customers stolen, but it has not been exposed. This included names, dates of birth, national insurance numbers, bank account details and reference numbers.
With the stakes set so high for utility businesses, what can be done to avoid the costly and potentially devastating impact of a cyber-attack?
Partly, the responsibility sits with the government to step in and show their support for such a highly regulated sector, with the Cyber Security Task Group – part of the National Cyber Security Centre (NCSC) – already providing research and reports on cyber security standards and best practices for the energy sector.
The current scale and sophistication of cyber criminals has indicated that the Government has to up its efforts to support businesses in opposing these threats. Cybercrime groups such as Black Basta, which were responsible for the attacks on Southern Water and the Capita hack of last year, work in a highly sophisticated manner and on a global scale, making it extremely difficult for businesses to combat. This level of sophistication is also clearly shown through the recent actions of the cybercriminal gang, Lockbit, who seemingly evaded the efforts of US law enforcement when attempting to disrupt its activity.
The government’s last update on cybersecurity for the utilities sector was outlined in its Cyber Security Strategy report ‘Building a cyber resilient public sector’. Within the report, “operators of essential services” (otherwise known as utility companies) are earmarked as being part of the Cyber Assessment Framework (CAF), developed by the NCSC, which will set an industry standard under the Network and Information Systems regulations.
According to the report, adopting the CAF will ensure that the government is assessing its cyber resilience in a consistent and comparable way to other organisations that operate the UK’s essential services. Alongside this, the government has decided to strengthen regulators’ abilities to invest in training. This will help improve the skills of Critical National Infrastructure (CNI) operators to attract and retain cyber professionals.
When it comes to specific guidance for the water sector on cybersecurity measures, the last official guidance from the government came out in 2017 – in which it outlined its vision for the sector in 2021 to be “a secure, effective, and confident water sector, resilient to the ever-evolving cyber threat”.
While the five objectives set out in that report remain as relevant as they did back then, the government must place a renewed focus on tackling the evolving threat landscape, working closely with and supporting the utilities sector.
Nevertheless, accountability ultimately remains with utility companies themselves to be prepared for a cyber-attack. Businesses shouldn’t wait for the government to step in, or experience an attack themselves, before having a strategy in place to deal with breaches and cyber threats.
So far, the utility sector has very successfully adopted and implemented digital transformation strategies. However, such digital change can often bring about an elevated risk of cyber-attacks on businesses’ technology infrastructure.
For example, digitalising sales channels, or using cloud infrastructures, AI, automation, and analytics can offer significant benefits. However, these often come with hidden compliance risks that could increase the likelihood of cybercrime. Remaining compliant with complex and evolving policies will never be an easy task – but it is imperative to establish both a suitable cyber resilience strategy and a risk management framework for mitigating associated threats and staying on top of changing regulations.
This involves determining a structure within each organisation and naming specific individuals who can enforce and oversee digital strategy. These individuals are responsible for ensuring the organisation is both proactive and reactive to digital threats, creating a specific plan for handling cyber incidents and providing tailored cyber security training for all employees.
Implementing clear internal policies and processes to ensure that the whole business is aligned with overarching regulations is also crucial, with regular risk analysis helping businesses avoid costly delays or compliance issues.
However, ensuring that the appropriate technology and processes are in place to safeguard against cyber-attacks is by no means the only step that needs to be taken – there needs to be an industry-wide overhaul in the approach taken to digital safety.
Considering the impact cyber-attacks can have on the vital infrastructure within the utilities sector, cybersecurity still does not warrant enough attention. We are currently not just one, but several steps behind threat actors, and in this delicate digital ecosystem one weak point can leave whole industries and millions vulnerable. It’s imperative that we see step change within the utility sector, the government, and all businesses in the UK to combat and strengthen our defences against cybercrime.