Managing cyber risks: A top priority for energy companies

As cyber risks rise to the top of the corporate agenda, Nicholas Newman says firms are taking a proactive approach to cyber security.

Cyber Security Alarmy

Like any other industry, the energy sector is grappling with a growing number of evolving cyber security threats. For many, Duncan Page, cyber security specialist at PWC observes, ‘it’s a game of catch-up, as they seek to protect vital command, control and distribution systems from increasingly professional cyber criminals able to threaten the integrity of pipelines, power grids and energy storage facilities.’ The big fear is that a cyber attack could cripple a country’s nuclear plants, energy infrastructure or vital operations.

Recent major incidents

Cyber criminals may attack any part of an energy company’s value chain that is connected to the Internet. For example, an attack last summer caused a three-hour loss of power for 225,000 customers in western Ukraine. The attackers overwrote a utility’s firmware on critical devices and, although on-site technicians manually overrode the circuit breaks and restored power, two months later the utility’s control centres were still not operational. Commenting on the incident, Cliff Wilson, Associate Partner at IBM Security, UK & Ireland says: ‘This was likely a training exercise to refine techniques and explore just what could be done.’ In Finland, water, heating and ventilation systems were temporarily frozen by a series of cyber attacks. Across the Atlantic, a ransomware infection forced a Michigan utility company to pay US$25,000 to regain access to its critical accounting and email servers.

Forms of attack

The three most common forms of attack are phishing emails, compromised USB sticks and viruses. In 2016, according to IBM, 60% of cyber attacks on energy companies and utilities were external. The remainder arose internally with the majority (76%) generated by disgruntled employees, while the remaining 24% were inadvertent mistakes made by workers accidentally opening malicious links or attachments of an email. At an organisational level, Wilson says, ‘the main threat comes from the increasing connectivity between the various aspects of a company’s operations, including the linking-up of industrial control systems to major back-end business systems, since this gives greater opportunities for hacking to take place.’

The arrival of the cloud, while providing big benefits in the way data is used, shared and processed, also introduces several potential cyber vulnerabilities, including illegal access to your data, introduction of viruses and data loss, according to the Cloud Security Alliance. Corporate clouds can be just as vulnerable to data breaches as traditional networks with the usual consequences including lawsuits, fines and damage to the company’s reputation.

Although reputable cloud services employ layers of security protocols, it is nevertheless up to firms to proactively protect data held in the cloud.

There have been reports of hackers gaining access to cloud data centres and wiping all the data clean. Therefore, it is recommended that companies distribute applications across several zones and back-up data using off-site storage when possible.

Compromised credentials, e.g. not creating secure passwords, also increase the risk of attack. The use of strong passwords, setting the right user roles and creating processes for identifying critical changes made by other users are essential protective measures. Granting third parties access to your cloud increases the likelihood of hackers making away with confidential information on customers and other parties. To protect themselves, companies need to install threat modelling applications and systems into the development lifecycle and undertake regular code reviews to highlight any gaps in security.

Industry difficulties in implementing cyber security measures

Many energy companies operate globally. Whether covering the whole world or just across neighbouring borders, the sheer scale and variety of operations of a multinational energy company makes cyber security protection challenging. As Page acknowledges, ‘Different operations, companies and sectors within the energy industry are implementing improvements in cyber security at different speeds.’ There is also, typically, an ongoing reluctance to cooperate between corporate IT departments and operational technology departments, due to long-term fears of poaching or redundancy caused by the introduction of Internet technologies into the operational technology environment, observes Wilson. While off-the-shelf cyber security protection is available for a company’s general operations, tailored solutions for specific operations cost money and take time.

Old as well as new technology is vulnerable to different degrees. The former, Page reflects, ‘is not secure by design and can be difficult to protect because of its obsolete characteristics.’ Newer technology, because it is based on ever-present Internet platforms, is much more connected and therefore more vulnerable. Meanwhile, the smart infrastructure coming in to support the low carbon future is even more connected and more complex, opening new potential avenues of attack, according to Page. However, digitalisation now being adopted by many in the energy sector should make it easier in the future to apply the latest cyber security standards across operations.

In the meantime, for the large national energy company as well as the multinational, ensuring company-wide compliance is a complex organisational and operational task, so much so, that ‘energy and utility companies are coming to IBM to help them to identify their complex cyber security compliance requirements,’ says Wilson.


Could cyber concerns stall uptake of smart energy technology and low carbon schemes?

With around a third of industrials and over a frifth of commercial organisations planning to spend more than £1m on smart energy technology, the need for utilities - and smart technology suppliers in general - to get thier cyber security in order is vital.

Trust

  • 61% the large majority of businesses trust their energy supplier
  • 55% trust energy suppliers to install energy technology

Cyber

  • 57% said they would leave thier supplier if they suffered a cyber seecurity breach
  • 65% of respondents are seriously concered about cyber risk

Smart Technology

  • 1/4 of respondents plan to spend over 150k on smart energy technologies within the next five years
  • 73% of those who have invested in smart technology have seen improvements in running of thier business

Security of Supply

  • 58% over the next five years are taking measures to improve thier security of supply through on-site generation and storage
  • 42% of businesses are disengaged with off-grid

Source: PwCB2B Energy Survey, May 2017 (research included responses from more than 500 UK businesses) 


In-house steps to tackle cyber threats

Increasingly, organisations are taking five steps to help protect themselves, beginning with a comprehensive security review to understand current weaknesses and identify measures needed to comply with requirements set out in national cyber security legislation.

Having dealt with the security software, a security awareness and education programme needs to be rolled out to all staff, from the top to the bottom, including temporary employees. This needs to be accompanied by implementing watertight protocols to regulate use of mobile devices and cloud services.

Having set out the policies and protocols to all staff, enforcement of compliance is the next step. This involves introducing effective advanced security technologies which, crucially, should be easy to use, since difficult to use systems will result in many staff ignoring them.

Lastly, regular training and evaluation sessions for all staff in order to maintain best practices alongside regular testing of existing cyber security systems against new threats is essential to maintain in-house security and protect against external threats.

EU and US regulations

In December 2015, the EU passed two significant data and IT protection directives. The General Data Protection Regulation shifts the balance of power away from organisations that collect, analyse and use data towards the citizen. More pertinent is the Network and Information Security Directive (NISD), which focuses on the protection of IT systems used by those companies designated as European operators of essential services, including energy, transport, banking and healthcare firms, by imposing new incident reporting obligations.

The security requirements of the NISD, effective from May 2018, include technical measures that manage the risks of cyber security breaches in a preventative manner. For example, both digital service providers and operators of essential services must provide sufficient information to enable an in-depth assessment of their information systems and security by the authorities. In addition, the company’s computer security team must be notified of all significant incidents. It will assess the threat according to criteria such as the numbers of affected users, its length and geographical spread.

In contrast to the prescriptive approach of the EU, North America’s cyber security regulations simply encompass key principles on information security without specifying any particular cyber security measures, beyond saying such measures must achieve a reasonable level of security regulations.

Lessons learnt

The central lesson for energy companies, be it a self-contained nuclear power plant, a national utility company or a vertically integrated multinational oil company is the need for a culture of security, constant vigilance and updating of protection. Companies will need to continuously educate and train staff to instil a ‘proactive cyber security culture and evolve to meet the ever-changing challenges cyber criminals bring,’ says Wilson. 

Image credit | Alarmy

Issue: