lolloj - Fotolia
But there is still a desperate need for real cultural change in the energy sector in the UK and elsewhere, he told Westminster Briefing’s Cyber Security Summit in London.
“The energy sector needs to realise they are no longer just engineering companies, but that they are IT engineering companies because power networks are now completely reliant on IT to operate and that security is only as good as the weakest link,” said Willacy.
He said the rate of technological change the world has seen in things such as mobile technology is happening in parallel in operational technology in the energy sector and most of the critical pieces of infrastructure.
“At the same time, systems used to run and manage the power grid are becoming increasingly complex and automated with the greater use of renewable energy resources in addition to a small number of large generators that were much easier to manage on their own in the past,” said Willacy.
“A rapidly changing risk landscape, combined with a rapidly increasing threat has made the security of supervisory control and data acquisition (Scada) and industrial control systems (ICS) a key issue,” he said.
In response to this change, the National Grid has teams for business continuity, cyber security and physical security that all report to the CIO. The company has also increased the number of people dedicated to cyber security from 1 to 50 in the past 10 years.
The UK chairs the energy sector cyber group for Europe, and while the situation is far from ideal, Willacy said other countries are in a far worse state and many have just started looking at the issue.
“Computers can be manipulated in a way that can damage physical plant and hardware, and the continued deployment of Scada and other types of intelligent devices into energy networks expands the attack surface, increasing the risk all the time. It is therefore vital to all nations that their energy infrastructure is secure, resilient to threats and has the ability to recover from any incidents,” he said.
Read more about critical national infrastructure
- Cert-UK is dealing with more incidents related to critical national infrastructure, according to its second quarterly report
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab
- The government is to increase its commitment to further contact with operators of the UK's critical national infrastructure
- About 80% of UK critical national infrastructure (CNI) is owned and run by the private sector, so how is government ensuring that it is protected from cyber attacks?
Most critical systems in any modern country are reliant upon energy because without power, none of the other key sectors can operate, said Willacy. “But only now is this being widely accepted and the energy sector is starting to put in controls to mitigate the key risks,” he added.
To illustrate the cyber security threat, Willacy cited a recent experiment that set up an internet-facing honeypot in the form of fake IT systems that were made to look like they belonged to a water company.
The first attacks started coming in within a few hours, he said, and within 28 days there were 39 attacks that appeared to come from 14 different countries. Out of the 39 attacks, 12 were unique and could be classified as targeted while 13 were repeated by several of the same actors. However, Willacy said that while most attacks in the past were aimed at stealing data, many of the attacks in the experiment appeared to be attempting to see if the targeted systems could be taken down.
With the increasing reliance on cyber assets to operate critical infrastructure systems, and the convergence of physical and cyber security concerns, Willacy said the energy sector needs to assess and then mitigate the risks to ensure an appropriate balance between risk and cost.
“In the UK, the energy sector is working closely with a number of government departments to do this because if you've got no power, you haven’t got anything,” said Willacy.
The challenge, he said, is that power systems are reliant on IT, those IT systems are becoming increasingly complicated, the attack surface is continuing to grow, the threat of cyber attacks on power networks – especially from nation states – is increasing, a lot of the assets in power networks cannot be changed without “trillions of pounds” of expense, and the large number of subtly different IT systems require a bespoke approach for each.
“And one of the biggest challenges is there are very few people in the sector that understand cyber security as well as they understand power networks,” said Willacy.
He identified five key risks. First, there is a risk that due to the lack of security awareness when purchasing and upgrading information and operational technology, vulnerabilities and malware will be introduced. Willacy cited as an example an attack on UK systems that was traced to malware that had been introduced through contaminated CCTV digital recorders plugged into the network in the US.
Second, there is a risk posed by the fact that information about the security vulnerabilities of proprietary communication protocols such as Modbus are widely available on the internet.
Third, there is a risk posed by new IT assets being introduced to critical infrastructures because while most of the existing systems date from the 1950s and 1960s, Willacy said the assets being introduced now do not have a 30-year lifespan, which has to be factored into depreciation and investment planning.
“There is also no patching for the older systems, there is no anti-malware protection, there is no defined and manged secure perimeter, and little co-ordination between corporate managed IT systems and operational systems that are run by engineers,” he said.
Fourth is the proliferation of malware. “There are thousands of variants of viruses made daily, and one day a virus inadvertently introduced into a system could have the right DNA to damage key assets until they are protected,” said Willacy.
Finally, the amount of connectivity that is being introduced into critical systems is a huge risk, he said. “We are currently opening more doors than we are closing, which is why need more knowledge and understanding at the operational level everywhere,” said Willacy.