Cybersecurity in the energy sector
30 November 2017
This article, from Jamie Walker - Safety, Commercial & Projects Director at the UK Petroleum Industry Association (UKPIA) - looks at cybersecurity risk and the efforts being made within the UK downstream industry and wider energy sector to counter the increased risk stemming from the expansion of the cyber ‘attack surface’.
The development and deployment of “smart” technology in the energy sector, along with the expansion of intelligent network devices throughout the energy distribution system, has created a number of specific challenges. For one, this has resulted in an expansion of the cyber ‘attack surface’. As energy systems are widely connected, cyber security threats carry potential wider repercussions for the whole critical infrastructure network and for society as a whole. The unsurprising result is that of new security risks in the cyber arena.
A recent example of the impact and range of cyber attacks is the 2015 hack on Ukraine’s power grid which temporarily disrupted supply to end consumers. Kyivoblenergo, a regional electricity distributor in Ukraine was one of three ‘oblenergos’ (energy companies) affected. The cyber attack took place mid-afternoon on December 23rd with hackers taking remote control of the company’s Supervisory Control and Data Acquisition (SCADA) distribution management system. Subsequently, seven of the company’s 110-kv substations were disconnected along with twenty-three 35-kv substations for a period of three hours, cutting off power to around 80,000 consumers. Within minutes, similar attacks on the other two ‘oblenergos’ cut off the power to a further 145,000 users.
Not only was the SCADA being controlled remotely, leading to response delays, but the uninterruptible power supply (UPS) was also taken down, thus further hampering power restoration. A Distributed Denial of Service (DDoS) attack was also launched via a Trojan which had been initiated many months earlier. This led to call centre and communications staff being inundated with spurious communications, which served to exacerbate the delay in restoring supply.
In their Cyber Crime Assessment 20161, the UK National Crime Agency highlights the threat of cyber crime and outlines how criminal cyber capabilities have accelerated and outpaced the UK’s collective response capability. The report also calls for an effective response to include collaborative action from government, law enforcement, industry regulators and businesses.
Recent surveys show a high number of cyber attacks and security breaches taking place, as well as a sharp increase in the costs associated with these attacks. The 2014 Information Security Breaches Survey by PWC for the Department for Business2 reports that 81% of large organisations, during that year, experienced a security breach of some form, with two thirds of them reporting a serious incident. GCHQ continue to receive reports from industry of cyber attacks on a daily basis.
It is therefore of critical importance for government, through its various agencies, the Health and Safety Executive (HSE) and industry to work closely together to try to mitigate these vulnerabilities and risks as effectively as possible.
The Department for Business, Energy and Industrial Strategy (BEIS), the newly formed National Cyber Security Centre (NCSC) and the Centre for the Protection of National Infrastructure (CPNI) along with the HSE are promoting vigilance and the adoption of robust policies and “good practice” within organisations.
For instance, COMAH organisations have been alerted that Cyber Security will form part of future HSE Control & Instrumentation interventions. CPNI, together with NCSC, will perform Cyber Penetration Tests within organisations which are critical to National Infrastructure. The penetration tests have been developed to provide an assessment of current levels of data security and the risks a cyber attack may pose to an organisation. Several penetration tests have already been performed at some organisations.
BEIS and the NCSC are also working alongside industry to create GAP Analysis tools. This GAP Analysis will be used to advise organisations of any credible risks from both internal and external sources. Once highlighted, these GAPs will be addressed by means of workshops (where a risk to more than one organisation has been identified) and one to one consultations (where the risk is organisation specific).
Furthermore, with cyber security a critically important issue for Major Hazard sectors, due to its potential to impact on workplace health and safety, involvement of the HSE is key. In October 2015, the HSE Board agreed to a review of its approach to cyber security and, following engagement with lead government departments and other safety regulators, it began to develop training for specialist Control and Instrumentation Inspectors along with drafting an operational guidance for specialist inspectors at Major Hazard sites.
Following a consultation period, the guidance was approved and published in March 20173.
To align with the recommendations detailed in the guidance, industry has taken a number of steps to address and ensure compliance.
As part of the response to the growing cyber threat, it is of great importance to ensure that risks are recognised at all levels within organisations, from technicians to management and also at board level. It is essential that organisations are not solely dependent on their IT specialists, but ensure that all within the organisation are fully aware of threats and how they may materialise.
Information Risk Management Regimes are thus being embedded within organisations. Once approved, the risk management policy is communicated, not only to employees, but to contractors, suppliers and visitors to the organisation to ensure that all parties are aware of the risk management boundaries and the consequences should they not be adhered to. As part of an Information Risk Management Regime, personnel are also educated and made aware of the threats an organisation may face. Security policies that describe acceptable and secure use of the organisation’s ICT systems are distributed to employees and subsequently acknowledged by them. As perceived risks change frequently, staff should receive regular cyber training, advising of the new threats.
All incoming and outgoing cyber traffic is filtered at network perimeters to ensure that only traffic required to support business needs is allowed. Steps have been put in place to monitor for unusual or malicious incoming and outgoing activity that could indicate an attack either imminently or in the future. Most attacks are initiated many months in advance and by monitoring for this type of activity, it is possible that planned attacks could be detected and thwarted.
The management of user privileges is also crucial. Personnel is moved frequently within an organisation and, with relocation, it is often necessary to amend levels of authorisation. Authorisation amendments are made to ensure that any redundant authorisations or privileges are removed from the individual all at the same time to ensure that personnel have access to the platforms necessary to perform current duties only.
Policies have also been produced by organisations around the control of removable media devices and mobile or home working. This means that only previously approved removable media devices, which have been sanitised to protect against viruses or malware, are permitted. Mobile working and home working have also been the focus of threat prevention. For this reason, access to an organisation’s system is through a secure network connection to deter unwanted communications and screens are being equipped with filters to allow them only to be viewed by the immediate user.
Finally, the establishment of an Incident Response and Disaster Recovery Plan, which addresses the full range of incidents that can occur, is also crucial. Emergency Response (ER) Plans should also be carried out for cyber attacks, along with all other site specific ER scenarios, to minimise damage and disruption and provide business continuity as quickly as possible following an attack.
• Whilst co-ordination, development and innovation in cyber-security is occurring, due to the threat becoming increasingly sophisticated, UKPIA and its members will continue to work with Government and the HSE on a number of activities, including specialist workshops and cross sector seminars to develop key strategies to ensure the threat of cyber attacks can be mitigated.
• UKPIA and its members continue to work with the HSE to champion the Helping Great Britain Work Well - Strategy4 to ensure resilience to National Infrastructure, minimise disruption and maintain high standards of safety within the sector.
1 NCA Strategic Cyber Industry Group, Cyber Crime Assessment 2016
2 PWC 2014 Survey for the Department for Business of Information Security Breaches
Contact Details and Archive...