The electricity grid is rightly seen as one of the UK’s great achievements of the 20th century. In the space of less than 100 years it has become critical to our economy, well-being and comfort. However, in the 21st century the utilities are increasingly vulnerable to threats they were never designed to cope with – such as cyber attack.
While initial attempts were made on critical infrastructure during the 1980s, the first decade of this century has seen the potential for attacks, and their consequences, explode.
This proliferation of security threats is largely due to the way in which communication takes place in the electronic age. Previously, the limits of technology meant that lines of communication were limited to dedicated links between discrete parts of the infrastructure, such as power stations, so any attempt to attack this would require physically interrupting the link. As more and more communication moves to the internet for reasons of efficiency and ease of use, there are far more options available for attackers to infiltrate IT systems.
The result is that attackers could now strike almost anywhere along suppliers’ communications infrastructure. If this was limited to links between utility companies and their workers this would be bad enough. However, one major result of the current information revolution has been increased connection with the end consumer. For example, via smart meters.
This has immediately increased the potential risk to utility providers, because every smart meter is a potential means to attack the network.
Suppliers are aware of this. In a US survey in 2012, 43 per cent of respondents believed that the most vulnerable segment of the grid was the end user. If this security vulnerability is not addressed, it will render the rest of utility companies’ security a Maginot Line, a supposedly impenetrable defence that turns out to be illusory when it is needed.
When looking to defend these new avenues of attack, utilities must accept that the genie is now out of the bottle: there is little to no chance of returning to dedicated lines of communication, especially as direct contact with customers becomes more and more desirable. Instead, utility companies need to ensure their customers’ security matches their own.
The first step in this is education. Since increased communications have marked customers as potential targets for an attacker, companies have a responsibility to ensure the public knows the dangers involved.
This includes teaching simple best practice for online safety. For example, not replying to emails or visiting sites purportedly from the utility company that do not have https addresses, and ensuring that home wireless networks are correctly protected to prevent attackers piggybacking these to gain access to connected devices.
Companies will need to be careful how they present this information, to avoid giving the impression that communication between utilities and their customers is inherently non-secure. Instead, best practice should be presented as part of working online in general, rather than with the utility company in particular. To prevent the impression they are simply being broadcasted to, customers should also be encouraged to share potential security threats with companies.
As with in-house IT security, the safest way to ensure customers are protected and ensure their buy-in is to reduce the opportunities to breach security as much as possible.
For instance, corporate emails should be sent from addresses that specifically prevent replying, to ensure customers notice if a fake email suddenly allows this. Entering personal information, such as addresses or account numbers, should be minimised so that keystroke logging software cannot pick up information. And visits by engineers and other personnel should be organised in a way that minimises the risk of impostors getting access to a customer’s smart meter or other devices.
Essentially, security should be locked down before any contact is made with consumers in the first place.
Even with the best will in the world, there is always the potential for human error when dealing with IT security, especially when the public must be given direct access, however small, to your systems.
As a result, even when consumers have been protected as well as they can be, and have fully bought into the need for security and safety, there will still be a chance that security will be breached – especially with customer numbers in the millions.
In this instance, the most important thing is for companies to be sure they can trust their network and quickly identify any intrusion. With every customer’s home a potential access point, covering every single point on the network permanently is unrealistic.
One way to compensate for this is with “trust anchors”: parts of the system that the company can be 100 per cent certain are not compromised. These devices or services can then analyse the traffic they receive, raising the alarm if it does not fit the expected profile or content. Companies do not have to rely on impossible standards from their customers, but can instead detect and react to potential threats as they appear.
Chris McIntosh, chief executive, ViaSat UK