Connected appliances and devices are transforming the nation’s homes. The question then, is what this means for utilities and how cyber security can be ensured in the age of the internet of things?

From smart lightbulbs that light up before you arrive home to smart thermostats that learn to heat your house based on your daily routine, today’s home devices can be programmed to work exactly when and how we like.

Thanks to artificial intelligence, tomorrow’s connected washing machines could operate themselves to ensure maximum cost and energy efficiency; automatically starting a cycle at the exact moment energy is cheapest and switching to the energy supplier with the best value tariff.

But this speed of innovation comes with a serious security challenge: with so many devices connected to their networks, how can utility providers remain secure? High-profile data breaches and cyberwarfare are on the rise – the infamous Ukrainian BlackEnergy power grid attack springs to mind – so no provider of connected infrastructure can afford to underestimate the ingenuity of those looking to exploit network weaknesses.

As Japan prepares to assess the security of 200 million network-connected devices before the Tokyo 2020 Olympics, it falls to the UK’s utilities industry to pre-empt official regulation and take steps to defend their own systems from cyberattack.

Partnerships that boost network security

Ensuring total network protection is no mean feat and, for most utility providers, a mix of legacy systems and new technology presents an added layer of intricacy. There’s a balance to strike between investing in new network infrastructure and managing the security risk of older systems before they can be phased out.

But it’s not just kit that has to evolve; achieving cultural buy-in on a cybersecurity strategy can be just as tricky. Establishing the fact that security is both an organisation-wide responsibility and an efficiency driver is a good start, but utility companies should also make sure they’re operationally prepared by running network breach simulation exercises.

And still there’s more – utility companies must now be experts in both engineering and information technology (IT) – as operational technology (OT) and IT converge. Network security relies on seamless communication between system hardware and software, and as smart networks incorporate a growing number of technologies, it’s up to the utilities industry to lead the way in innovative, yet secure, network integration.

This is where a trusted, experienced network support partner can make all the difference. Arqiva’s commitment to security extends to everything we do, including our closed internet-independent communications network built to support smart infrastructure. Our network is designed with robust security features baked in, and uses highly secure licensed radio spectrum, rather than the internet, to connect smart devices, avoiding the vulnerability of online communication altogether.

A security-focused supply chain

A network is only as secure as its weakest link. Even with a fortified infrastructure partner, utility companies cannot guarantee the operational security of their suppliers and affiliates. Cybercriminals are adept at sniffing out any potential chink in the armour, even when it’s through a third party.

So, it’s down to providers to carry out their own supply chain security investigations, checking contractual requirements, auditing suppliers where possible and keeping security investment costs in mind when procuring. For many, the best option is to become members of the Information Security Forum, which means your suppliers are subject to its supply chain assurance framework. Where an organisation may not meet this set of standards, this means you can work with them to improve cybersecurity measures before moving forward together.

This collaborative approach benefits the utilities sector as a whole. After all, network security is a risk and a responsibility we all share. The Network Information Services (NIS) Directive was introduced in 2018 but somewhat overshadowed by GDPR. It reinforces this point – “organisations within vital sectors which rely heavily on information networks, such as utilities, are required to take appropriate and proportionate security measures to manage risks to their network and information systems.” Failure to comply can lead to severe fines.

Keeping utility consumers in the picture

Defending the supply chain becomes even more vital considering it’s all-but-impossible to manage how customers choose to use energy in their homes. Unless a device is no longer working, it’s unlikely consumers will prioritise upgrades or replacements. That’s a vast number of smart devices and appliances potentially vulnerable to attack.

Placing the onus on manufacturers is problematic too – although utilities would do well to work with them to devise a baseline security standard for smart devices.

That’s not to say there’s nothing utility providers can do to help customers safeguard their devices; in fact, open communication can go a long way towards changing consumer consciousness. The banking industry is a great example – by highlighting how to recognise bogus emails and reinforcing the importance of password protection, banks have successfully educated their customers on the risks of online fraud.

Providing guidance in areas like these also helps organisations strengthen trust messages with consumers, which will be crucial as internet of things devices become more commonplace. If, for example, utility companies could save energy by limiting power to a smart fridge in the early hours in return for reimbursing the owner’s bill, they will need to be completely transparent in how they go about it.

Prioritising network security

As technology advances and networks expand, it will take a sector-wide focus on cybersecurity to create a secure operational state in the utilities industry. Collaboration will build stronger and more secure networks than isolated systems ever could, so it’s vital that providers keep this aim high on the agenda, as individuals and as a collective.

What to read next