The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Busting the Cybersecurity Myths in the Energy Sector

image credit: © Gagarych | Dreamstime.com

This item is part of the Cybersecurity - Special Issue - 04/2020, click here for more

With technology playing an ever-important role in the running of energy companies the risks posed by cybercrime and state-sponsored threats to energy suppliers has never been higher. 

Energy is part of the UK’s critical national infrastructure (CNI) and the role of protecting it is led by the Centre for the Protection of the National Infrastructure (CPNI). The threats posed by nation-states are the ones that often make the headlines and rightly so, as the impact on our everyday lives from a cyber-attack on the CNI could be hugely damaging. However, it’s not just the CNI on the frontline, but every single electricity or gas supplier.

According to a report by Accenture, 63% of utility directors from around the world believe that the country they operate in faces a moderate risk of energy supply disruption from a cyber-attack. Electricity and gas suppliers are often vulnerable because they are so many interconnected parts and that the infrastructure, they rely on is often required to operate for up to a decade, so the technological systems are often upgraded infrequently. 

Even the smallest energy supplier is a target

There are many myths surrounding cybersecurity that are in part unhelpfully created by the security industry itself and the way it’s often reported in the media. One of the most harmful consequences of this is that business’s fall into a false sense of security, that they will never be a target either because they regard themselves as ‘too small’ or falsely believe that they have nothing of interest to a hacker. 

 It doesn’t matter how large you are or what products you sell, you are a target. If you have something to sell or process data, then you have something to steal. Hacking by hand is increasingly less common due to the rise of readily available Exploit Kits and cybercrime as a service.  

Most of the users of these services aren’t geniuses or making millions from hacking big corporations. In many instances, they’re just people with minimal technical knowledge. They use Exploit Kits and rented attack services at random in the hopes of getting lucky by making some cash from as many victims as possible. They can scan huge numbers of connected devices and servers as they seek a vulnerability that they can exploit. 

Most cybercriminals are opportunistic creatures seeking an easy score. Of course, some are more persistent and capable, but If you make yourself an easy target then it’s a certainty that you will become another statistic. 

Reduce the threats by implementing some basic steps

Another common myth is that cybersecurity is prohibitively expensive, it doesn’t have to be. Before you go splashing the cash on the latest shiny product that promises to solve all your security problems (there isn’t one) there are a few basic steps you can put into practice.

Here are a few steps to take:

  • Patching – ensure you download and install the latest security patches when they’re released. A huge number of cyberattacks rely on businesses not having the latest patches installed.
  • Cybersecurity awareness training for employees – cybersecurity isn’t just the responsibility of the IT department. As most cyber incidents begin through phishing emails, imagine if employees are trained and aware of what they look like. Instead of opening them and potentially compromising the organisation they’ll delete them; voila the threat has been eliminated.
  • Keep your antivirus up to date – new variants and strains of malicious software (malware) are created every day, by ensuring your antivirus is kept up to date you will be protected from the latest versions.
  • Backup your data – 2019 has seen a huge rise in Ransomware (malware that encrypts data and holds it hostage), to avoid disruption from this you should ensure you regularly backup your data. 
  • Plan – Do you know how to respond to a cyberattack? Making an incidence response plan is a vital component of being able to respond quickly and with the least amount of disruption. Regular drills and exercises will mean your business will know what to do should the worst happen. 

There’s some excellent advice provided by the NCSC - https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps

What can you do to reassure your customers that you take cybersecurity seriously?

Demonstrating that you take cybersecurity seriously can be a deciding as to whether a potential customer may use your services or not. There are a few ways you can demonstrate that you take data protection seriously. 

Being able to prove that your business protects customer data is becoming more important by the day and could even be the deciding factor as to whether they use your services or not.

Fortunately, there are a few ways your business can show that you take data protection seriously. 

ISO27001

Often regarded as the gold standard for information security processes, in line with international best practice and is suitable for businesses of all sizes and types. 

Since 2009, ISO27001 certification has jumped by 450% and is recognized globally as the benchmark for good security practices. The process for becoming certified can be a long one, but by achieving certification your business will build good evidence towards demonstrating compliance with many laws such as GDPR. 

Cyber Essentials

By obtaining a Cyber Essentials your business can demonstrate to your customers and partners that you are committed to protecting their data. Cyber Essentials focuses on five technical controls. These are:

  • Firewalls - ensure that only safe and necessary network services can be accessed from the Internet.
  • Secure configuration - ensuring that systems are configured in the most secure way for the needs of the organization.
  • User access control - ensuring only those who should have access to systems to have access and at the appropriate level.
  • Malware protection - restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
  • Patch management - ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Having the Cyber Essentials badge on your website and documentation can make you stand out from your competitors and provides reassurance to customers that you’re serious about tackling cyber risks and gives your partners confidence that their data is in safe hands. This is particularly useful if you store personal information such as financial information or if you host commercially sensitive data.

Cybersecurity is a necessity in this ever-evolving world. Criminals are constantly adapting their tactics and methods meaning that the energy sector must always remain vigilant to the dangers.

This might sound scary but one positive for businesses is that implementing effective cybersecurity measures does not have to be expensive or disruptive. Unfortunately, the security world is filled with snake oil salesmen, but if you look hard enough you will find organizations that will genuinely help you and for a reasonable price to boot.

Matthew Olney's picture

Thank Matthew for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Apr 29, 2020 9:24 pm GMT

One of the most harmful consequences of this is that business’s fall into a false sense of security, that they will never be a target either because they regard themselves as ‘too small’ or falsely believe that they have nothing of interest to a hacker. 

The false sense of security is such a threat-- I imagine there are similar risks associated with organizations who have implemented a new technological solution to cybersecurity and so they 'feel' safe, which may lead to less safe behaviors (falling for phishing, not following all defined protocols, etc.) because their guard is dropped. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »