This article  by Tony Burton, Managing Director – Cyber & Trust at Thales, was originally featured in The Engineer

Speculation around potential disruption to UK energy supplies continues – amid geopolitical issues, growth ambitions for the nation and the unpredictable nature of our weather.   

There is no doubt that in amongst the scaremongering and reassurances, that are issued in equal measure, there are significant challenges for energy providers and consumers over the coming years. And my principal concern is whether we are looking in all the right places for the genuine threats and risks to our energy supply and demand management…

Putting the spotlight back on cyber

While National Grid is reassuring the public that power outages are unlikely, there have been enough warning signs to make people believe that there is the potential for notable disruption, now and in the future. For example, there have been alerts around energy capacity in certain areas, and the media has also reported on proposals to pay citizens to reduce their energy consumption. Clearly, planning is underway for a wide range of scenarios, and this is entirely appropriate. 

With ongoing concerns around the carefully balanced supply and demand equation, the last thing energy providers and network operators want is to be taken down by a successful cyberattack. It is widely accepted that it is more a case of when companies are attacked, rather than if. Consumers may therefore be less forgiving of power outages should it be confirmed that reasonable steps had not been taken to ensure the resilience of supply and distribution in the current environment.   

Aside from the consumer response, many energy firms have already gone out of business due to the tough market conditions, and so the financial and reputational impact of a successful cyber-attack could be the final straw for even more. So, how can the owners and operators across the sector make sure cyber incidents don’t add to the already high level of stresses and strains in the sector? 

Taking a proactive approach

The first thing organisations need to do is adopt a proactive approach across people, process and technology domains that seeks to understand the threat and risk to their operation. This understanding needs to span the enterprise Information Technology (IT) estate as well as the Operational Technology (OT) estate that controls the process outcomes.   
Some basic questions need to be answered such as who would want to target their organisation, to what ends, by which methods and what has already been done to mitigate these risks.  Once this threat landscape and risk position is understood, the investment case will need to be made to agree the implementation of a cyber security strategy and roadmap that brings the risk back to a tolerable level. 
Attacks on critical national infrastructure (CNI) are most often carried out by people with clear intentions – so they will be persistent. Threat actors will have access to an array of tools, techniques and procedures that will continually evolve and so companies need to be similarly minded to ensure continuous assurance of their security status and risk position.  

Addressing the weakest link

Most successful malware and ransomware attacks gain an initial foothold in CNI organisations due to something happening in the ‘people’ domain. This may be through exploitation of targeted phishing campaigns, mal-practise or simply because individuals are not sufficiently trained in a company’s IT or OT security strategy. This situation has worsened due to large-scale shifts to ‘hybrid’ working arrangements and the increased need to “dial-in” to operational technology for remote support, monitoring or update reasons. 

According to Thales’s Data Threat Report, the majority (79%) of IT leaders at energy/utility companies were concerned about the security risks from employees working remotely – yet only half (51%) reported using multi-factor authentication (MFA) as a security technology. This is despite the fact that MFA is widely regarded as one of the best ways to counter inadvertent user error. 

This is but one example of an additional control, and should form  part of a comprehensive people, process and technology focussed cyber security strategy to reduce the risk profile.  

The rise of the ransomware attack

Our survey also uncovered that nearly one in five (17%) IT leaders in energy companies reported ransomware attacks involving the immediate ‘kidnapping’ of data and/or critical systems. 

Criminals have realised that successful attacks against high-profile critical infrastructure organisations have a higher probability of a payoff. For example, the 2021 Colonial Pipeline attack – which stopped the pumping of oil in Northeastern U.S. for five days, resulting in fuel shortages, panic buying and major economic impacts – cost $4.4 million in ransom. However, organisations in the energy sector are the least likely to have a formal ransomware plan (44%). 

Ransomware and the monetisation of attacks are here to stay for the foreseeable future and CNI operators should be vigilant against this specific type of attack. If there was one piece of advice it would be for owners and operators to plan, rehearse and test the response and recovery from these attacks. The clear evidence is that this type of attack will increase in frequency and complexity and so the focus on response and recovery (as well as prevention and detection) will be an essential test of an organisation’s resilience.  

Safeguarding operational technology

Ongoing work to digitally transform the energy sector will make it more agile, efficient and effective. However,  the interconnection and interdependence that this digital transformation relies on is also a potential Achilles heel if it is not implemented with security in mind.  

It is often the case that when you get into the operational technology domain there are combinations of legacy and new equipment that have been brought together over many years through an evolutionary process. The configuration management, and understanding of exactly what and how these systems work, is not always documented or consistent. So, the first challenge is to understand exactly what you have, how it is configured and how it may be compromised by the propagation of malware through the system.

Once the discovery phase is complete, it is then a case of understanding how to prioritise and implement any changes necessary to achieve the tolerable level of risk across the people, process and technology domains. Avoiding a “snap-shot” in time approach is essential as the threat and consequent risk will continue to evolve, along with the evolution of the operational technology itself.  This is why companies must adopt an enduring level of vigilance to continue to monitor the operational technology for anomalies, understand the evolving threat landscape and develop their response and recovery “play books” to maintain their resilience posture.

It is clear that energy sector owners and operators are balancing multiple demands as they continue their digital transformation journey, at the same time as managingwinter demand trying to predict the economic climate, and considering the continually evolving cyber threat. 

Ultimately, a proactive approach to managing cyber risk will help companies to be more resilient in an already turbulent and challenging time. With the correct approach, funding, and support from senior leadership, increased organisational resilience through deterrence, detection, response and recovery is well within reach.