Ex-GCHQ chief: Cyber attacks could target fragile trust in utilities

Already fragile consumer confidence in the utility sector is at risk of being targeted by malicious foreign states in cyber attacks, a former deputy director at one of the UK’s leading intelligence agencies has warned.

Brian Lord, ex-deputy director of cyber and intelligence operations at GCHQ, said that attacks on core infrastructure is now unlikely. However, speaking to Utility Week, Lord warned that hostile forces would find other ways to cause disruption to the UK’s critical national infrastructure by undermining confidence in their services.

Lord – who is currently managing director at cyber and digital consultancy Protection Group International – explained that while there is still a risk, attacking core infrastructure is “very difficult” to do.

“In order to take down a big network, you’ve got to be able to have a presence on that network for a long time, you’ve got to understand how it works, you’ve got to work out what the vulnerabilities are and you’ve got to be able to strike at the right time of your choosing to be able to do it. That is incredibly complicated and very, very, very difficult to do because networks are being updated all the time,” he explained.

However, Lord said a “high degree of disruption” can be created without actually taking down critical assets.

Lord warned that consumer confidence in utility companies is the “soft underbelly” through which malicious actors can attack.

By way of example, he explained that a cyber attack on the American Colonial Pipeline in 2021 focused on its administrative systems which resulted in the company halting its operations as a precautionary measure.

He continued: “States can undermine confidence without hacking into the system and bringing it down. Increasingly, because of the level of complexity that it takes to attack critical national infrastructure… states will just perpetually undermine confidence [in utility services and governments].”

Ultimately Lord believes that utilities have been “very good” at protecting themselves from technical attacks on their assets. The next phase, he added, is how they manage to preserve their reputation in a world where digital risks are growing.

“They are probably happy that they are where they should be in 2024,” he said. “Are they generally aware of what they need to look like by 2028 beyond just making their technical defences better? No, I don’t think that’s right. Do I believe that there is an emerging risk of utilities being taken down by a cyber attack? Not really.

“I think there’s an emerging risk of the customer confidence in the utility companies, and the inherent risk of the application of artificial intelligence through the supply chain, which just generally creates a softer underbelly for organisations’ ability to be able to safely survive through the next four years because we’re looking at a slightly more asymmetric and hybrid threat than just a cyber attack.”

Earlier this year Southern Water was the victim of a cyber attack by the Black Basta ransomware group in which thousands of customers had their data stolen.

Southern said the attack was believed to have affected between 5% and 10% of its customer base.

The Black Basta group claimed the attack and published some data it stole, which included scans of identity documents such as passports and driving licenses and HR-related documents displaying personal data including home address, office address, dates of birth, nationalities, and email addresses.