Energy firms should have implemented these 4 cyber security measures – if you haven’t your business is at greater risk of a cyber attack.
Companies producing, storing and transmitting energy are critical elements of the UK’s national infrastructure. Unfortunately this means they have become significant targets for cyber attacks by both cyber criminal organisations and unfriendly states.
These risks have risen exponentially over the last year following the Russian invasion of Ukraine, with expected retaliatory measures from Russian-related cyber gangs on western nations. Whilst these have not occurred to the degree expected so far, the risk still remains significant.
The UK Government has published guidance for organisations responsible for vitally important services and activities, which includes energy firms, on how to safeguard the security of their IT systems. This is known as the Cyber Assessment Framework (CAF). In fact, some organisations (depending on factors such as transmission or supply volumes) must follow CAF by law.
Cyber security measures under the government’s Cyber Assessment Framework (CAF)
So what is the CAF? It is broken down into four objectives:
The Cyber Assessment Framework states that you should have the appropriate policies and procedures in place to manage the security of your information systems. This includes:
- Cyber security is discussed regularly at board and senior management level, your board has expert guidance and a board member is accountable.
- You carry out security risk assessments and take action to mitigate the risks.
- You test and evaluate the security measures and systems you have in place.
- You have documented and understand your data, physical, cloud and software assets.
- You have audited the security of your supply chain.
You should have appropriate measures in place to protect your network and IT systems from an attack. Specifically:
- You have written and implemented a cyber security policy and review it regularly.
- Your policy is well communicated across the organisation and all staff understand their responsibilities.
- You have software to ensure secure access to all systems including: multifactor authentication; users have minimum access rights; and access logs are monitored.
- You have software in place to allow access to your systems from trusted devices only (including mobiles), with regular scans to detect unknown devices.
- You ensure your data is encrypted or otherwise secured when stored or being transmitted.
- Your systems are securely designed and managed with clear documentation that is securely stored.
- You regularly scan for and act on vulnerabilities in your systems.
- You have backups, disaster recovery procedures and a disaster recovery plan that you test.
- Your staff are regularly trained and tested in cyber security awareness.
You should monitor your IT systems for potential security issues and to track effectiveness of your security measures, including:
- 24/7/365 monitoring to detect for the presence of suspicious activity or security events.
- Ensuring log files are retained and protected for an appropriate period of time.
- Monitoring – which is required by qualified security staff and you must receive alerts that are acted upon when there is a security incident.
- You regularly review systems for abnormalities that indicate malicious activity.
4. Response and recovery
You must be prepared in the event that a cyber security incident does occur, including being ready to respond and having a plan to recover your systems.
- You should have a Cyber Security Incident Response plan, communicated across the business, to cover most likely potential scenarios.
- You have assigned incident response roles to appropriate people in your organisation and ensured they are familiar with their responsibilities.
- You should have a process to identify root causes and take steps to reduce future risk following an incident.
The full guidance on these cyber security measures can be found on the National Cyber Security Centre’s CAF webpage.
Fortunately there are some UK-backed Cyber Security certifications, which are fairly straightforward for small and medium businesses to complete, which will set you well on your way to meeting the Cyber Assessment Framework – Cyber Essentials and IASME Cyber Assurance.
If you believe the Cyber Assessment Framework applies to your organisation and you’re struggling to work out where to get started, book a free discovery session with us today and we’ll help you create a plan to make your energy firm more secure.