Dan Mosca, cyber security expert at PA Consulting, is quoted in an article on the use of ethical hacking in the utility sector.
The article discusses how energy and water utility companies are using ethical hackers to fight cybercrime. It emphasises that along with severe weather conditions, cyberattacks are the biggest operations risk for the UK’s utility companies.
Dan says: "Utilities are a soft target for malicious adversaries and a successful attack has the potential to cause mass disruption. They often operate legacy networks and systems that are not secure by design."
He adds: "Against a backdrop of rising geopolitical tensions, the likelihood of an attack on critical national infrastructure has moved from worst-case scenario to distinct possibility with cyber seen as the new weapon of choice. This has already been seen in the attacks that caused electricity outages on the Ukraine grid in 2015 and 2016 and the incident in 2019 on the Western US grid where hackers used firewall vulnerabilities to cause periodic blind spots for operators."
The article goes on to explore the vulnerabilities associated with embracing digital transformation. Dan says: "[Businesses] may procure and integrate solutions made up of commercial off-the-shelf technologies such as Windows and TCP/IP to become smarter and take advantage of digital innovation. This creates vulnerabilities and, when combined with weak risk management practices such as not patching system vulnerabilities on a regular basis, increases the chances of a successful breach."
The article explores the ways in which organisations can use ethical hacking. Dan warns: "Ethical hacking brings risks of disruption, especially if it takes place in a live environment. Any tests need to be scoped and executed carefully by certified specialists to avoid disruption to networks, systems and the service. All risks need to be identified, and appropriate mitigations put in place to ensure that the business does not suffer any impact in the quest to increase security defences."
He adds: "If the risks of testing in a live environment are too great, especially where there could be safety implications, testing should be carried out in a replicated virtualised or offline test environment or use alternative non-intrusive methods such as health check assessments against best practice standards and frameworks".
Dan emphasises that the basics need to be applied for ethical hacking to be effective: "A more holistic approach to cyber-security needs to be adopted, such as examining the management approach and ensuring policies and operating procedures are fit for purpose".