Five things utilities need to know about cyber-security

Our recent webinar with Schneider Electric highlighted the growing threat to networks from cyber criminals as the toughening up of UK cyber-security regulations looms. But there’s a lot utilities can do to prepare, as Schneider expert Victor Lough explains.

The scope of cyber-security regulations in the UK will increase as the Government updates its Network and Information Systems (NIS) legislation in the coming months.

That’s in response to developments in Europe, where an NIS 2 directive is being introduced. Although there will be differences to the UK’s approach, the feeling is that broader and more all-encompassing cyber restrictions are needed, and that means networks – and their wider supply chains – need to be prepared.

Not doing so could mean big fines. The Information Commissioner’s Office can already issue penalties for contravention of NIS of up to a maximum of £17 million in the most serious cases.

Victor Lough, cybersecurity and solution services business lead for process automation at Schneider Electric, has more than 20 years’ experience in cyber security for OT environments. Utility Week sat down with Victor to find out what utilities should be considering right now when it comes to guarding against the growing cyber threat. Here are five key takeaways:

The attack vector for hackers is growing, and energy is a prime target.

The energy industry ranked fourth, behind only manufacturing, financial and professional services, in terms of sectors hackers pursued the most last year. 2022 set an all-time high for the number of cyber-attacks on the energy industry. The increasing connectivity of utility and network assets to digital technology only broadens the area hackers are aiming at.

That target is set to grow. “There are restrictions on people’s capability right now and a lot of the heavy lifting is being done with technology,” explains Lough. “That has to be the case if we’re to meet our asset management and net-zero goals. But it means the attack surface is growing.”

Many more parties will be subject to stringent cyber regulations.

In the EU, NIS 2 means more companies are to be regarded as essential services, and it will be the same in the UK. For example, managed security service providers (MSSPs) and load controllers are expected to be affected. Friendly third parties connected to your system through remote access will be expected to be cyber secure, too – just like utilities themselves.

“No one wants a repeat of the SolarWinds cyber-attack, where hundreds of organisations in the supply chain were compromised,” says Lough. “If a small provider is hit, it can represent a very big problem that cascades up. We want to raise the resilience of the whole network.”

Ransomware as a service is a growing threat.

Some hackers are now selling their ransomware capabilities to the highest bidder, whether that’s cyber criminals or hostile nation states. Some organised crime groups are reportedly making more money from ransomware than they do from the narcotics trade, Lough points out.

“The UK National Cyber Security Centre says there has been an 88% increase in ransomware attacks over the last two years. Insurance companies closed their books when it comes to ransomware for a period because the situation was so bad. Number one on the list for utilities looking to protect themselves from ransomware is access and end point control.”

Basic engineering principles provide a lot of safeguards.

There are simple principles – ensuring security patches are applied, for instance – that can help protect networks and their supply chains. Networks should have a back-up recovery plan, an instant response plan in the event of an attack, and good situational awareness of potential threats, says Lough. “Some form of network monitoring to understand what is out there is crucial because bad actors can remain hidden on networks for some time.”

Networks should start with understanding assets and vulnerabilities.

If utilities don’t know what assets they have, they won’t know what to protect. “We always begin with understanding assets and any vulnerabilities,” says Lough. “Our cyber-security assessments entail a holistic defence-in-depth approach which goes all the way through from products to human factors, how systems are delivered, and how assets are maintained and secured, delivering resiliency over the medium to long term.”

It’s not all doom and gloom by any means. The scale and scope of the threat may be evolving, but many utilities and networks will already be carrying out these types of activities. “Failure is not inevitable if we get the governance, investment, assets and vulnerabilities, and access control right,” says Lough.

“But NIS 2 undeniably means the bar is being raised. Networks should be considering how to meet tougher cyber security standards over the next few months.”

Want more from Victor on cyber-security? Sign up right now to watch the Schneider Electric webinar on demand.