Not long ago it would have seemed like the preserve of a science fiction novel: a highly organised cyber attack on a country’s critical infrastructure as part of an undeclared but de facto war.
Yet just before Christmas 2015, this is what happened in Ukraine. Hackers managed to cause a blackout for nearly 250,000 customers of three energy distribution companies. The perpetrators’ identities remain a mystery, but it is widely believed that the Kremlin was behind it.
Of more pressing concern for the utilities sector, the Ukrainian blackout is also believed to be the first successful attempt to disrupt a power grid through a cyber attack. “That Ukrainian incident was a serious wake-up call for the sector,” confirms Talal Rajab, head of programmes, cyber and national security at Tech UK, a trade body for the technology industry.
According to Rajab, the incident could be a sign of things to come: “It is state-level type of capability. Instead of sending tanks and soldiers on the ground, using something like this to bring a city down is the way wars could be waged in future.”
For utility companies, this demonstrates how they could find themselves on the frontline of this new threat.
So, what are the specific threats to utilities and their customers? What has been done about it so far within the industry? And what more do companies, regulators and government need to do to keep us safe in an ever more connected and digitised operating environment?
Part of the problem is that, when it comes to the kind of threats we are facing, there is not one simple answer. Attacks on the scale of the Ukrainian incident or the WannaCry ransomware attack that caused mayhem in the NHS in May this year (see box, right) may still be rare, but the severity of the consequences mean they have to be taken seriously. Meanwhile, the huge amount of data now being collected about customers’ behaviour opens up a whole other range of threats.
“There are so many things that could happen,” says Graeme Wright, chief technical officer for the utilities sector at Fujitsu, which provides services to help protect businesses against these types of attack.
One area of concern for Wright is around demand response systems. “What happens with the information that Hive or Google or Amazon is collecting from consumers about how they’re managing their energy use?” he asks. “And what happens if that information gets collected sufficiently to work out when people are in? How are retailers collecting and managing that data?”
Wright’s colleague, Jamie Wilkie, who works on Fujitsu’s cyber security consulting portfolio, believes the potential threat from unsecured data is greater still. “At a system level, if someone can manipulate the demand response level of a whole city then the utility might believe there’s a huge requirement for electricity where there is none, which could burn out the whole system,” he explains.
“A lot of renewables have demand response built into the system. If that gets hacked and someone sends constraint notices to all the turbines you suddenly have a brown out situation.”
Real and present danger
These might sound like scare stories, but the threat is very real. A January 2016 report from Cambridge University’s Centre for Risk Studies found that around 15 per cent of all cyber attacks logged in the UK were directed at the energy sector, making it second only to financial services as the most at-risk sector.
The same report outlines the potential consequences of a cyber attack on the electricity distribution network in the south and east of the UK. It estimates that this kind of attack could disrupt transportation, digital communications and water services for up to 13 million people and cost the UK economy between £49 billion and £442 billion.
While the Cambridge report is necessarily speculative, the scenario it outlines is not outside the realms of possibility. Last month, EY ranked cyber attacks along with extreme weather events as the biggest operational risks for utility companies. And yet not all companies are as up to speed with this new reality as others.
Edgard Capdevielle, chief executive of cyber security firm Nozomi Networks, says that while “significant strides forward have been made”, more could be done to neutralise the threat.
“If utilities invested in cyber security in the same way they invest in storm preparation, their ability to manage the risk would be significantly improved,” he says.
Rajab of Tech UK agrees that the energy sector is one of those that must be most vigilant when it comes to the cyber crime threat, but he says the bigger players especially have started putting robust systems in place to protect themselves.
He also sees a danger in scaremongering over cyber crime, however genuine the risk.
“Part of our role is to do some myth busting,” he says. “There is a tendency to look at worst-case scenarios and to use fear and uncertainty to generate business.”
When it comes to smart metering in particular, Rajab is also concerned that talking up the threat level could inhibit uptake, just as the UK-wide rollout of the technology ramps up. “We want people to use new technologies,” he continues. “We’re not here to say these devices are inherently dangerous.”
Despite this, he concedes that the proliferation of connected devices “opens up more avenues for hackers”, and means that energy companies themselves have to up their game when it comes to vigilance.
To this end, Energy UK has set up a cyber security working group which shares new developments and best practice guidelines. Furthermore, the national Cyber Security Information Sharing Partnership has a team dedicated to the energy sector.
But Rajab sees a difference in how different companies approach the problems that come with cyber security, and often those difference comes down to size and resources.
“Without wanting to pick on smaller providers, I think that’s where the onus is,” he says. “I think some of the larger providers have probably been putting these processes and practices in place for years, just because they do. But maybe some of the smaller providers are struggling.
“There’s a lot to contend with and, for some, maybe security isn’t at the forefront of what they do. There is a rush to adopt new technologies, but have they got security built in? That remains to be seen.”
It is a view echoed by Noam Green, head of product management for security platforms at cyber security software company Check Point. “There’s a fine line between what steps companies are willing to take on security measures and the risk they believe they are facing,” he explains, adding that sometimes two parts of the same organisation can have very different views on how much time and investment should go into protecting against what can often seem hypothetical threats.
“The OT people in water companies, for example, are in charge of making sure you get water out of the tap; they are more worried about that than about cyber attacks. The IT people in the same companies are very worried about the consequences, so there’s often a fight between the IT and the OT in the same company.”
And that reluctance to invest in cyber security seems to extend to other parts of the industry as well, according to some.
“If you take the DNO market, they are seen as a pure cost anyway,” says Fujitsu’s Wright. “If someone says they have to spend £10 million on security, under the RIIO framework even the regulator will ask why they’re doing it.
“It means you have to have a cast iron justification for this, and that’s about balancing the risk that’s in the framework, just as they would for risks they carry on any other asset they manage.”
Again, just as Energy UK is taking steps to bring thinking on cyber security up to speed quickly among providers, the Energy Networks Association (ENA) is doing the same for networks. “As smarter energy networks continue to develop, network companies are regularly reviewing their cyber security policies to ensure that the right measures are in place to counter any potential threat,” says a spokesperson for ENA.
“Energy networks have a long-established cyber security group that works with other industry bodies to identify and mitigate evolving risks. Through this forum network companies develop their approach and communicate with government, Ofgem and other key stakeholders.”
There are still problem areas for utilities when it comes to cyber security. The use of third parties along the supply chain when it comes to work in the field, such as updating telemetry, poses risks, even for a company with robust procedures in place.
Then there is the question of how to upgrade systems that need security bolstered without risking temporary loss of service. “It would be brilliant if you could just start from scratch,” explains Rajab when asked about the best way to update systems. “But taking a system offline to upgrade it means a loss of service and inability to use that system while you’re doing that.”
The water sector
When it comes to the water sector, the latest PR19 regulatory framework sets out a focus on “resilience in the round” for water companies, but is this being followed up when it comes to cyber security?
“They’ve probably not invested as much as the energy companies and maybe that’s because the perceived risk isn’t quite so high,” says Fiona Griffith, group director at Isle Utilities, which acts as a consultant to water companies in particular.
“But a lot of these things are under the radar until something goes wrong – and once things go wrong it becomes a big problem.”
Nick Needham, IT security manager at Severn Trent, accepts that the water industry lags behind energy when it comes to taking the cyber crime threat seriously. “In electricity… Ukraine focused attention, and there’s been encouragement from the government to get this right,” he says. “It would be great if Ofwat did look favourably on companies that try to do the right thing.”
Needham insists, however, that the board at Severn Trent is “very cognizant of the risks posed” by cyber crime.
He says that the biggest risk, at least in terms of potential consequences, is the potential for unauthorised access to treatment and distribution processes. He assesses the risk as “relatively low” as the operational systems – such as Scada – are fairly old.
“As we look at more efficient ways to work in those areas, we look at ways to open up access to those systems,” he says. “That’s good from an operational perspective but a risk from a security perspective.”
That balance between the necessity for more open systems and the risks that come with them has to be struck by all utility companies. “This is critical national infrastructure,” says Fujitsu’s Wright. “If you attack the water or electricity supply you affect a huge number of people. Even if you attack one water company you can affect millions of people.”
Noam Green of Check Point is equally stark in his assessment: “It’s frightening how easy it is to shut down a country. Many environments out there today are already open to attacks of this sort, so it’s just a click away. Should we be worried? Very much so.”
A brief history of cyber attacks
October 2015 – TalkTalk
For six days in October 2015, hackers were able to access the personal data of more than 150,000 customers of telecoms company TalkTalk. Taking advantage of technical weaknesses in the company’s systems, the attackers could unearth names, addresses, phone numbers and emails. In more than 15,000 instances, customers’ bank account details were also accessed.
TalkTalk received a then UK record fine of £400,000 in October 2016, with information commissioner Elizabeth Denham saying it “should have done more to safeguard customer information”. She added: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s system with ease.”
A group of hackers was subequently arrested for the attack, including a 17-year-old boy who pleaded guilty to the charges and told the court he was “just trying to impress my mates”.
December 2015 – Ukraine power grid attack
Amid Russia’s ongoing military intervention in Ukraine, which began in 2014, cyber warfare became a new form of conflict.
The sophisticated attack on the Ukrainian power grid is thought to be the first of its kind anywhere in the world, temporarily disrupting electricity supply to around 230,000 people, primarily customers of Prykarpattyaoblenergo, but also of two other local distributors.
Although no one has claimed responsibility, the power grid shutdown is the most famous of a wave of similar cyber attacks on Ukraine, with many experts, including the US government, pointing to groups with links to Russia’s secret service, including the notorious “Sandworm” hackers.
May 2017 – WannaCry
Perhaps the best known of all cyber attacks to date, the WannaCry ransomware attack was a worldwide assault targeting computers running Microsoft Windows in over 150 countries.
In the UK, the attack infected the NHS, causing it to curtail some services and cancel operations. According to the National Audit Office (NAO), a third of NHS trusts were disrupted.
A highly critical NAO report into the incident later said the NHS had been left vulnerable because cyber security recommendations had not been followed.
It added that NHS trusts had failed to act on warning from NHS Digital and the Department of Health to patch or migrate away more vulnerable older software.
The malware worked by encrypting data on infected machines and demanding a ransom in bitcoins equivalent to £230.
The finger has been pointed at North Korea as being behind the attack, a charge the secretive state denies.
June 2017 – UK general election
In July, GCHQ revealed that British energy companies had bee the subject of cyber security breaches on the day of the UK general election, a month earlier.
A report from the British secret service said that “state-sponsored hostile threat actors” were responsible for the attack, with reports again fingering Russia as the culprit. The attack is believed to have targeted engineers in power plants and distribution networks, but no significant disruption was reported.
The incident came after a wave of warnings that an attack targeting election day was “highly likely”.
New European regulation means data breach fines are set to soar
New European legislation is set to hike the potential fines companies face for breaches of data law. Under the current regime, the maximum fine for a data breach is £500,000. However, under new the General Data Protection Regulation (GDPR) – due to come in next year – this will rise to 4 per cent of a business’s global turnover. The new rules will apply to all businesses that hold and process data collected in the European Union, regardless of their location. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The new laws have already begun to change the way utility companies treat data. Nick Needham, IT security manager at Severn Trent said: “GDPR has definitely changed our behaviour…We take our responsibility to manage our customers’ data as absolutely critical and GDPR has just brought that to the fore.”