Organisational weak links were at the top of the agenda as utility industry leaders met at the Covent Garden Hotel last month. Identifying these weak cyber links in utility organisations has become a priority in recent years.
Responding to the question of where the potential weakest links lie, one delegate expressed concern about third parties not understanding cyber security and the risks that surround it.
“You have got a lot of third parties bringing offerings to bear who don’t necessarily understand cyber security, in some cases in its most basic form, potentially exposing networks and organisations to big risk,” the attendee said.
Another delegate described a real-life scenario where malware had been present on a laptop used on a utility site, which was then unintentionally uploaded into the system. In this case a technician had used the internet to resolve an issue and the malware was subsequently uploaded in the process.
“Even if you segregate operational technology and information technology networks, there is no air gap. The trouble is engineers are engineers, and they will do whatever they can to make something work,” they said.
Ensuring IT systems are secure has become a paramount concern, yet physical barriers are still needed to prevent people who wish to do harm from entering a site, as one delegate was keen to point out. “I think it is quite obvious that people are one of the easiest ways into any organisation. You can make things very technically secure, physically secure, but if someone opens the door for you it is easy to get in.”
Developments in technology over the past two decades have allowed organisations to utilise remote workers, such as employees working via laptops. Yet with the ease technology brings comes the problem of how to maintain the integrity of the system across multiple pieces of equipment and networks. The group discussed this issue in some depth.
Delegates were asked how utility companies could ensure their remote workers are maintaining the integrity of the supply system. Several championed the need for authenticating employees and having a system of security clearance for others.
One said: “For our critical sites we have to have security clearance for those who have the ability and understanding to create a problem.
“We will stipulate in contracts that there is a requirement for levels of clearance or vetting to be done.”
Another described how focus in the water sector is often on big asset sites as opposed to smaller and more vulnerable sites.
They said: “In our sector there has been a lot of focus over the years on protecting those big water treatment sites and that physical protection.
“Actually the weakest point in the distribution network is very often in the service reservoirs where the final chlorination goes into the water before it goes into the customer’s taps.
“Those are unmanned sites, or sites that someone might go to once a week depending on whether there is an outage or a problem.”
The discussion then moved on to whether utilities were complying with the regulation of security of network and information systems (the Network and Information Systems regulation, or NIS), and if there were any common areas where companies were failing to comply.
Introduced by the European Union, NIS is intended to establish a common level of security for the IT networks of those operating essential services.
One delegate described how their company complied with the NIS regulations, specifically looking forward to protecting against future threats. They said: “Whenever we are starting to design these new systems, we have a big focus on the impact of cyber security.
“We make sure we design the system inherently cyber secure, that we understand the risks and the potential areas they can be compromised and, also, what the broader impact is.
“We need to start understanding the implications of every architectural decision we’ll make and every interface we use.”
One delegate said they have used the NIS framework as a “strategy” as well as a regulatory requirement.
For the final part of the roundtable, delegates were asked to consider the cyber security challenges faced by organisations transitioning to new business models, including interconnections with external third-party networks over which they have no control.
One delegate posed the question of how utility companies can ensure other companies that are using Internet of Things-type technology are compliant and deal with security issues. The example of Amazon Alexa-enabled devices was cited, where customers have reported the talk-activated technology being used by opportunists ordering online products by simply talking through an open window.
The group then considered how such devices pose a risk to security.
In one example, one delegate wondered if someone would be able to hack into a heating system through a device such as Alexa.
Another was of the view that not all customers are technically savvy and may be unaware of the risks posed by leaving the technology unprotected. Further concerns were raised about the difference between physical protection and cyber protection.
One delegate said: “People will do things on site with technology because they can, it’s not a big deal. But they won’t go on site without their hard hat because that is heavily regulated and they will lose their job.”
Another agreed. They said: “When it comes to technology, because it is so varied, it is less prescriptive.
“There are some standards of protection but you are basically down to your own principles of how you verify and construct the controls around those assets as to how secure they are.”
Views from the table:
Steven Gough, DSO technical authority at SSEN
“I think it is quite obvious that people are one of the easiest ways into any organisation.
“You can make things very technically secure, physically secure, but if someone opens the door for you it is easy to get in.”
Nick Needham, cyber security and resilience manager, Severn Trent
“We have to reduce our costs, we have to do things faster but not at the sacrifice of security where ever we can. It is difficult balancing almost on a daily basis.”
Paul Smith, CISO, United Utilities
“As a sector we are open to people to come and give us advice on how we should be looking to protect our assets.
“The problem we have is everyone says ‘we have the box that does everything for you’.”