The pandemic has changed ways of working and we’ve seen a rise in cyber attacks. But even pre-COVID, it was time to review cyber security in the Energy sector.
With the ‘roadmap out of lockdown’ well underway it is hoped that society in the UK may return to some sense of normality from the summer. Of course, if there is one thing we have learnt about COVID-19, it’s that nothing is certain! Here’s what is certain …
NOW is the time to look at your cyber security in the Energy sector
There are many reasons why we say this. Here are some areas where action is needed …
- Will your business model include remote working?
Due to the nature of the industry, energy companies must retain at least some highly-skilled operators and maintenance workers on site. However, the COVID-19 pandemic has given the sector a glimpse of the potential advantages of remote working in some form, such as reducing costs, attracting talent and improving operating models.
Energy companies like BP have joined other high-profile companies in announcing that they intend to have many UK staff working from home on a permanent basis. ITV News reported recently that the Chartered Institute of Personnel and Development (CIPD) had found that two-thirds of employers plan to increase hybrid working (remote and office-based) .
But it’s not as simple as that. The COVID-19 pandemic required a hasty transition to remote working but if it is to be adopted either totally, or as a hybrid model by staff on a permanent basis it needs careful planning.
Every business has different needs and ways of working – and questions must be answered about the impact on staff, customers, culture, infrastructure, processes, tech … and cyber security in the Energy sector.
With remote working, home networks do not usually have the same standard of security required by regulators – or even – if you put regulation aside – the standards provided in many offices and other premises. If this model is going to be adopted permanently this needs changing.
2. Better critical infrastructure security controls, secure operational technology and robust staff cyber security training is crucial
We all know that the energy sector is a major target for cyber attacks because, not only does it handle large amounts of sensitive and valuable data but it also has access to national critical infrastructure.
Making systems cyber secure with diminishing budgets is an industry-wide problem – and not just in this country. A recent hijack of a remote access system of a wastewater treatment plant in California is one example.
In this case, a cyber attacker tried to poison the Oldsmar, Florida water supply by hacking into plant controls and then attempting to increase the amount of lye in the water to dangerous levels.
In their Cyber Readiness Report, insurer Hiscox has shown that UK energy suppliers are greatly at risk from cyber attacks, with many experiencing one or more cyber-related incidents in the past two years.
In May 2020, Elexon, the administrators of the Balancing and Settlement Code on behalf of the UK electricity industry was hit by a cyber attack, which was investigated by the National Grid. Cyber security experts suggest it was probably a Ransomware attack due to the fact that employees lost all access to their email servers.
IT strategy and plan
These types of incidents are highly damaging, not just to the business(es) concerned but to the industry and potentially the whole country, so operators should be looking at how to tighten up their IT and cyber security policies. A risk assessment should be carried out as part of an IT strategy audit and a step-by-step plan implemented.
We have found several issues to address in work we have carried out for various companies within the Energy sector. Here is an example:
The hardware and operating systems running Supervisory Control and Data Acquisition (SCADA) systems can be old and out of mainstream support. This makes it even more important to ensure that higher levels of security are maintained in other areas to protect these vulnerabilities.
5 essentials for security
1) No segregation between the SCADA system and the company’s main network.
SCADA are the control systems that energy firms use to monitor and manage their operational plant and machinery – in other words, their critical operational systems.
So SCADA systems should be kept air-gapped from office networks at all times. Even when a connection has to be made temporarily to allow access, it should be through a firewall that is configured to restrict traffic to the absolute minimum required and protected with multiple layers of authentication – preferably biometric.
2) Internet connectivity.
It’s unusual for a SCADA system to require internet connectivity on an ongoing basis. It should only be enabled when needed, and again firewalled. Where SCADA systems require connections outside of the local operational networks, these should be on dedicated private circuits, preferably with inbound traffic disabled.
3) Permanent remote connections for support company.
Often a support company requires remote access to assist with resolving issues. This should only be connected / enabled when required. Multifactor authentication (MFA) should be enabled on all connections and multiple layers of authentication are required.
4) Shared passwords / re-using passwords.
Passwords should not be shared between operators and there should be unique passwords for administration access to each SCADA computer. A good offline password management system can make this easier to handle.
5) Post-it notes.
Shouldn’t have to say this one really, but credentials should not be written on post-it notes and stuck to screens. Or even worse, on spreadsheets held on office IT networks. We have seen this!
Finally, security should be built into your SCADA systems at the design stage – and reviewed on a regular basis – at least every six months. We recommend using external assistance to review your security arrangement.
So, there are a few things to think about.
Have a discussion with us about how to improve your tech and mitigate cyber security risks in your business by contacting us below.