Keeping the power on, and the water flowing
December 3, 2023 by Alistair Enser
In 2017, the chief executive of the National Cyber Security Centre, a part of GCHQ, accused Russia of targeting the UK’s energy, telecommunications and media infrastructure. The agency reported a growing number of cyber security attacks on the UK’s Critical National Infrastructure (CNI), by so-called ‘hostile states’.
Following this, a law was introduced to boost the resilience of the UK’s energy sector. It required gas and electricity firms to report any attempts to hack their systems to the regulator. Yet this week Sky News revealed that, despite multiple successful hacks of British energy firms that were attributed to hostile states and criminal groups, not one report has been filed.
Ofcom, the authority that should receive energy providers’ reports of hacking, said that only one company has ever tried to file a report claiming it had been hacked – but it was dismissed as the incident did not apparently meet the ‘threshold’ for being reported!
The thresholds must be set quite low, then, as we know that CNI is under serous and sustained cyber pressure. Providers are required to report any cyber-related breach that results in “Loss of supply or outage that has or is likely to lead to loss of supply to grid supply points and affect customers for more than three minutes.’
It strikes me that the reporting mechanism needs to be readdressed, and quickly, given the seriousness of the situation and the considerable damage that any successful breach of UK CNI IT infrastructure could create.
For this is not a case of losing power for a few minutes: if a hostile state gained access to the UK’s electrical infrastructure, we would be in the dark for far longer than three minutes. Entire power plants could be disrupted or, as the Iranians found out in 2010 when the Stuxnet worm was successfully injected into the IT systems at the uranium enrichment facility at Natanz, simply switched off. The Stuxnet worm specifically targets programmable logic controllers (PLCs), the devices that allow the automation of electromechanical processes such as those used to control machinery and industrial processes in much of our CNI. And, as our CNI becomes increasingly connected, so it presents a greater target for hostile nations and criminals.
Large parts of the UK’s CNI are automated and, to be clear, this is as it should be. Digitisation and automation have led to lower cost, greater efficiency and better management of these precious resources. Our smart cities of the future rely on that interconnectivity, while managing our energy use to lower carbon emissions requires a better understanding of energy usage – something that digitisation makes possible.
It’s not just electricity, or gas infrastructure that is prone to attack, either. As one of the 13 Critical National Infrastructure sectors, set out by the government and supported by the Centre for the Protection of National Infrastructure (CPNI), the water utility industry is a core component of our nation’s ability to function on a day-to-day basis. Water treatment and supply facilities are increasingly automated, and large parts of the process that leads to clean water coming out of our taps at home is therefore now at risk of cyberattack. Last year, Israel’s National Cyber Array issued a notification that cyberattacks had been launched against a variety of its water control critical infrastructure targets. Water aside, I have of course already written about the data centres that we increasingly depend on, as vital business systems and online retail operations move to the cloud.
Physical and virtual threat
Of course, CNI is at risk not only from hacking, but also physical attacks such as theft, vandalism or even terrorist events. Control of an electrical substation could be gained by hacking, but closing down parts of the network could equally come from a well-placed act of vandalism or theft. Large parts of Vodafone’s cellular network in England went down when cable was stolen from what was understood to be a remote cabinet in North Wales, for example, while thieves are currently targeting BT Openreach’s broadband street cabinets for their batteries alone.
The solution, therefore, is a robust security solution that keeps utilities, telecommunications providers and other essential parts of our CNI safe and operational. This needs to have a physical aspect as well as having an electronic dimension.
Ironically the electronic security systems that are designed to protect the physical environment can sometimes offer the ‘weakest link’ in a CNI network. If video surveillance, access control and intrusion detection systems are not installed correctly, are not secured, and not maintained with the latest software patches – or implemented on unsecured networks by unqualified companies – they offer a potential route into the site for the unscrupulous.
Reliance High-Tech is a Cyber Essentials and ISO27001 accredited organisation, and we know that clients come to us because of our IT expertise: a large proportion of the reported cyber and hacking incidents in the press are caused by poor installation and programming as much as by poor equipment.
There is no room for complacency when it comes to keeping CNI secure. To see how Reliance High Tech keeps water companies secure, for example, watch our video.