Recent data breaches in the telecommunications sector have rightly raised questions about online security. Naturally, attention has turned to other markets, such as energy, as customers seek assurances that their personal information is in safe hands.
So how secure is the energy market? And what can firms do to make sure they are on top of their game? There are two main targets for potential hackers: an attack on the energy network or infiltrating energy companies to gain customer data.
Securing the energy network
Although there is a financial incentive in targeting energy companies, some hackers can be motivated by the disruption they
can cause to critical infrastructure by attacking the broader network. These attacks may be especially appealing to those
looking to inflict harm on nations and governments, whether it is online “hacktivists”, terrorist organisations or unfriendly
nation states.
Breaches have occurred in the past but the impact has normally been contained; had this not been the case the impact could have been devastating. If someone was able to hack and crash the energy grid, they could cause widespread and sustained disruption for millions of people and inflict chaos on key businesses and transport networks.
In a controlled test last year, a German IT security firm successfully hacked into utility control systems, giving them the opportunity to cut off power, water and gas to the entire German town of Ettingen.
Given the potential consequences, the security of critical national infrastructure (CNI) is seen as a major priority by the government, with colossal resources being dedicated to keeping it safe and secure. GCHQ, the Centre for Protection of National Infrastructure and other government bodies take a particular interest in protecting the UK’s energy control systems, which send commands to keep the lights on across the nation. The security around these systems is continuously re-evaluated and any suspicious activity is treated extremely seriously by the authorities.
Securing customer data
The government’s focus on protecting the energy network, and the level of sophistication required to compromise control systems, means that a major compromise in this area would be difficult. However, critical national infrastructure is not the only potential target. Energy companies may also be attacked to try and extract useful data.
Customers have witnessed the introduction of increasingly sophisticated energy technology (such as smart meters), capable of recording granular information about their energy usage. When smart meters started rolling out across the UK, there was some concern about how the data would be handled. Energy suppliers are mandated by the government to put in place robust security measures designed to prevent unauthorised access to smart meter commands and consumption data. These security measures are audited on a regular basis and come under scrutiny from numerous independent parties.
An area that has more significant risks is the extraction of personal information, such as email addresses, passwords and credit card details. These attacks are aimed at core billing systems and customer records, which can fall outside the scope of more exacting smart meter standards. It is important that energy companies use security systems to keep their websites and databases free from intrusion.
However, it is arguably more important to establish strong security processes (for example, around data handling or risk management), ideally based on a clear understanding of the security threats that business is facing. This leads to the effective application of security systems, and ensures no future changes introduce weaknesses.
Building a secure business
To embed these processes, efforts need to be made to establish a security culture, developed through procedural and behavioural training. Only by building this culture and these processes into the heart of the organisation can companies avoid complacency about the threats faced by the industry. This relentless focus needs to be articulated and developed by the board and senior leaders. It is these executives who would have to deal with any rapid response to a data breach.
The government is placing a high priority on encouraging good practice in this area. It has developed programmes such as GetSafeOnline and CyberEssentials, which can provide companies with a security baseline and a useful stepping stone to rigorous security standards and procedures. GCHQ has also developed a checklist of ten key security areas, which would provide a useful starting point for any businesses that want to stay ahead of the game. For a more mature security framework, organisations should look to internationally recognised standards such as ISO27001, NIST or SOC2.
Technology is evolving and the capabilities of hackers are evolving along with it, often at a great pace. While significant steps have been taken to keep our energy networks secure, energy companies need to avoid complacency and invest in their security. This will enable them to protect their reputation and give their customers peace of mind.
Dean Kelshall, senior manager and Ellen Fraser, partner, at Baringa