Carbon trading fraud and the Stuxnet worm show cyber crime is a real and present danger to utilities. By Justin Lowe and Ed Savage.
Cyber crime is on the rise. The Commissioner of the City of London Police recently suggested that a new cyber crime is committed every second. Utilities face particular challenges. This is in part because of their increasing dependence on automated control systems and the adoption of smart technologies and applications such as smart metering and smart grids.
Attackers are increasingly using advanced techniques to steal information – such as the Night Dragon attacks on oil and gas companies – and to cause disruption to systems and critical infrastructure. The attacks on the EU’s carbon trading scheme and the Stuxnet worm are the most recent examples.
In early 2011, the European carbon trading markets were attacked in a number of different countries, forcing many registries to close. Security standards across the end-to-end ETS scheme were inadequate. Before they reopened, registries had to improve and verify their security. The EU is now considering changing the nature of the trading system to make it less susceptible to this kind of threat.
Utility Scada systems are also vulnerable. These industrial supervisory control and data acquisition systems have become more interconnected and incorporate off-the-shelf technologies. As a result, they have commonly exploitable weaknesses that make them easier to attack.
In 2010, the Stuxnet worm marked a major change in the nature of the threat. Previously, utilities had to protect their industrial control systems from standard IT malware and a few dedicated attackers. The Stuxnet worm, which targeted specific types of control system, was the first significant malware targeted at industrial control systems. This represented a new level of sophistication from attackers. The worm spreads primarily through USB drives but can communicate over networks and attack through supposedly secure connections. The utilities industry must be prepared for attacks from new variants, which are likely to continue to emerge.
New developments such as smart meters are also changing the nature of the threats facing the sector faces. Smart meters contain personal information relating to the consumer and many have a remote disconnect feature that allows the supply to be interrupted – if a customer has not paid a bill, for example.
By attacking smart meters, a hacker could not only access and compromise personal data, but there is also the potential to remotely turn off the supply to a whole street, city or an even wider area. Such vulnerabilities will be magnified in the future once smart grids are in play.
Utilities must understand the cyber risks they face, identify where the risks come from and might come from in the future, and recognise that these are not just matters for the IT department.
Then they must identify and implement appropriate security frameworks to address the risks. To be truly effective, these frameworks must not only include a portfolio of measures – tackling risks at the technical, organisational and people levels – but must also be integrated across the organisation.
Strategic protective monitoring gives organisations a coherent view of their cyber activity and defences by creating greater transparency and co-ordination between business areas, and by supporting a positive culture to deter counter-productive behaviour. By doing so, it also allows earlier risk or threat identification and a more robust defence or response to a cyber attack.
It is impossible to provide completely impenetrable defences – cyber incidents will happen. Utilities must ensure that their systems, organisations and businesses are resilient enough to allow operations to continue if attacks occur. They must also respond quickly to an attack – identifying what has taken place, isolating the affected area, and understanding and learning from it as part of an ongoing cyber security strategy.
Building security measures into new developments as part of their core design results in systems that are much more secure – and it is less costly than adding them later. This is particularly important in innovative projects such as smart metering and grids, where full consideration of the security risks needs to be built in from the outset. This is a task not just for utilities but also for policy makers and product vendors.
Justin Lowe is a smart energy expert and Ed Savage a cyber security expert at PA Consulting Group.