Tackling the cyber threat in Utilities

In today’s world, utilities companies are increasingly becoming targets of cyber threats. These threats are not only a danger to the utilities themselves, but also to the communities they serve, which rely heavily on the reliable delivery of essential services like electricity, water, and gas. With the increasing reliance on digital technologies, the threat landscape for utilities companies has expanded, and it is important for these companies to be aware of the risks they face and take measures to protect themselves.

One of the most significant cyber threats to utilities companies is the potential for cyber attacks on critical infrastructure. This could include attacks on the control systems and networks that manage the generation, distribution, and delivery of electricity, water, and gas. These attacks can come from a variety of sources, including nation-state actors, cybercriminals, and even disgruntled employees.

A successful attack on a utilities company could have severe consequences, including blackouts or service disruptions that can affect entire communities. It is also possible for attackers to steal sensitive data or manipulate the systems in ways that could lead to physical damage or safety hazards.

Another major cyber threat to utilities companies is ransomware attacks. These attacks involve hackers gaining access to a company’s systems and encrypting data, effectively holding it hostage until a ransom is paid. If a utilities company’s systems are compromised in this way, it could lead to significant disruption of service and even financial loss if the company decides to pay the ransom.

The utilities sector faces a wide range of cyber threats, including:

• Ransomware attacks: These are attacks in which a hacker gains access to a system, encrypts critical data, and demands payment in exchange for the decryption key.
• Phishing attacks: These are attempts to trick employees into revealing sensitive information, such as login credentials or financial data.
• Malware attacks: These are attacks in which a hacker infects a system with malicious software, which can then be used to steal data or disrupt operations.
• Insider threats: These are threats posed by employees, contractors, or vendors who have access to critical systems and data.
• Advanced Persistent Threats (APTs): These are sophisticated attacks in which an attacker gains access to a system and remains undetected for an extended period, gathering intelligence and carrying out malicious activities.

The utilities sector is also becoming increasingly digitised, with automation, smart grids, and Internet of Things (IoT) devices being implemented to increase efficiency and reduce costs. However, this digitization also creates new cyber risks that can result in significant disruptions to critical infrastructure and public services through the following:

• Increased attack surface: As more systems become connected to the internet, the attack surface increases, making it easier for attackers to find vulnerabilities and exploit them.
• Lack of security by design: Many legacy systems were not designed with security in mind, and retrofitting them with security controls can be challenging.
• Lack of awareness: Employees may not be aware of the cyber risks associated with new technologies or may not know how to use them securely.
• Dependence on third-party vendors: Utilities often rely on third-party vendors for critical systems and services, which can create supply chain risks.

What we understand is that one of the primary challenges surrounding cyber security within the UK utilities sector is the lack of investment in security measures. According to a report by the UK government’s National Cyber Security Centre (NCSC), many utilities companies are not investing enough in security measures, leaving them vulnerable to attacks. This is because most utilities companies prioritise investing in their infrastructure, rather than their security.

Another challenge is the increasing sophistication of cyber-attacks. Cybercriminals are becoming more skilled at exploiting vulnerabilities in computer systems and networks, using advanced techniques such as social engineering and malware attacks to gain access to sensitive data. In recent years, there have been several high-profile cyber-attacks on UK utilities companies, highlighting the severity of the issue.

One such attack occurred in 2019 when hackers targeted the UK’s electricity grid. The attack, which was attributed to a state-sponsored group, was one of the most significant cyber-attacks on the UK’s infrastructure to date. While the attack did not cause any disruption to the grid’s operations, it highlighted the potential impact of a successful cyber-attack on the country’s critical infrastructure.

This isn’t just a UK issue, but a global one.  In 2021, the Colonial Pipeline suffered a ransomware attack. This attack forced the US energy company to shut down its entire fuel distribution pipeline, which had a knock-on effect to fuel distribution across the east coast of the country. This attack resulted in the company paying hackers nearly $5 million.

It’s not breaking news that cyber attacks have been on the rise, in fact there’s been a surge of cyber-attacks on the utilities industry since 2017.

In response to this, the UK government has introduced several initiatives to improve cyber security within the utilities sector. For example, the NCSC has launched a program to improve the sector’s resilience to cyber-attacks by providing guidance and support to companies. Additionally, in 2018 the government  introduced legislation (NIS) to ensure that companies in the utilities sector take cyber security seriously and take appropriate measures to protect their systems and data.

With recent international tensions and the potential disruption to be caused, the utilities sector has faced an increasing number of cyber-attacks. In fact, 2022 set an all-time high for number of cyber attacks that took place in a single year.

With this in mind, in an attempt to help organisations cope with the increased attention from cyber criminals, Ofgem released updated guidance for Operators of Essential Services to reinforce the cyber security measures required to adhere to NIS and mitigate cyber risk.

The Network and Information Systems (NIS) Regulations require operators of essential services, including the utilities sector, to have robust cyber security measures in place. The regulations set out specific requirements for risk management, incident reporting, and incident response.  There is also a recent update to this being the NIS2 Directive which was published in the Official Journal of the European Union as Directive (EU) 2022/2555. This is a response to the increased exposure of Europe to cyberthreats and the fact that the more interconnected we are, the more we are vulnerable to malicious cyber activity. The regulators hereby set consistent rules for companies and ensure that law enforcement and judicial authorities can work effectively and raise the awareness of EU citizens on cybersecurity and have expanded the original scope to now include all digital managed service providers. Whilst there is a period of time until this directive becomes effective, the potential costs of non-compliance can be considerable.

Regulators such as Ofgem and Ofwat are responsible for ensuring that the UK utilities sector is adequately protected against cyber-attacks. Ofgem has set out expectations for energy companies to have robust cyber security measures in place, including regular risk assessments, incident response plans, and staff training.

Ofwat has also set out expectations for water companies to have robust cyber security measures in place. This also includes regular risk assessments, penetration testing, and staff training. Additionally, Ofwat has introduced a new regulatory framework, which requires water companies to demonstrate their resilience to cyber-attacks and other threats.

To align with expectations and regulations, organisations should look to protect from cyber threats and should take a proactive approach to cybersecurity and look to implement the following strategies:

• Conduct regular risk assessments: Utilities should regularly assess their systems and networks to identify vulnerabilities and prioritise mitigation efforts.
• Implement security by design: New systems should be designed with security in mind, and legacy systems should be retrofitted with security controls where possible.
• Provide regular security awareness training: Employees should be educated on the latest cyber threats and how to identify and respond to them.
• Use multi-factor authentication: Multi-factor authentication can help prevent unauthorized access to critical systems and data.
• Implement access controls: Access controls should be implemented to limit access to critical systems and data to only those who need it.
• Regularly backup critical data: Regular backups of critical data can help organizations quickly recover from a ransomware attack or other data loss event.
• Conduct regular penetration testing: Regular penetration testing can help identify vulnerabilities and ensure that security controls are working effectively.
• Work with third party cybersecurity experts: Cybersecurity focussed organisations have access to more intelligence and generally have more experienced professionals whose sole responsibility is cybersecurity and are therefore better placed to protect utilities and their customers from the growing threat of cyber attacks.

In summary, the UK utilities sector faces significant challenges when it comes to cyber security. The complex infrastructure, IoT, digitisation, and lack of cyber security training and awareness make the sector vulnerable to cyber-attacks. Regulators such as Ofgem and Ofwat, along with the NIS regulations, are working to ensure that the sector is adequately protected against cyber-attacks. The business case for outsourced cybersecurity in the utilities sector is compelling. Effective cybersecurity measures are necessary to protect critical infrastructure, meet compliance requirements, maintain customer trust, realise cost savings, and gain a competitive advantage.  By implementing effective security controls and regularly assessing systems and networks, utilities can reduce the risk of cyber-attacks and protect critical infrastructure and public services.

As a Managed Cyber Security Service Provider norm. help organisations reduce their cyber risk with a multi-award-winning managed service, smartbloc.^TM

smartbloc. gives companies comprehensive protection against known and unknown cyber threats. It also delivers unrivalled visibility into the strength of current cyber security defences. By delivering an overall Cyber Resilience Score and no-drama insight into how well protected an organisation is, management teams can accurately assess their level of risk and act accordingly.

With norm.’s analysts by your side every step of the way nothing is left to guess work, you can go about your day-to-day while we take care of your cyber risk, its’s as simple as that.

Request a meeting below with one of our cyber consultants to get started today! or read more about how norm. can help tackle cyber security for Utilities organisations.

References:

National Cyber Security Centre. (2019). The Cyber Threat to UK Energy Infrastructure.
The Guardian. (2017). WannaCry ransomware attack ‘hit one in five NHS England trusts’
Gov.uk. (2018). New government guidance to help protect UK energy infrastructure from cyber attack