Protecting our energy system in a dangerous world
31 October 2017
by Duncan Page, cyber security specialist
I had a fascinating day recently at the Energy UK annual conference in Westminster, where I chaired a plenary panel session dedicated to cyber security.
Following the conference theme of generation, the session examined the cyber risks and threats facing energy generators from their reliance on operational technology (OT) - a theme that was picked up in other sessions, demonstrating how OT security is now a mainstream topic across the industry.
This is a dramatic turnaround from when I first began helping companies to understand and deal with operational risk. Then it was a specialised subject and awareness was low, even within engineering departments. Nowadays we rarely have a security conversation with a utility client, from Board level down, without discussing IT and OT as part of one overall landscape.
Taking to the stage with a great range of panelists from across industry and government, we began by reflecting how some of the most fundamental challenges of OT security have always been with us. Older technology is a concern because it is not secure by design and can be difficult to protect because of its obsolete characteristics. On the other hand, newer technology can be vulnerable because it is based on ubiquitous IT platforms and is much more connected. Meanwhile, smart infrastructure coming in to support the low carbon future is even more connected and more complex, opening up new potential avenues of attack.
This last point was highlighted in a session titled ‘Tomorrow’s world – the future of the energy system’. We learnt that the next generation of wind and solar farms would incorporate local energy storage and smart control systems, providing supply-side and network management services to both National Grid and local distributors. The rapidly expanding internet of things for home energy automation, including domestic energy storage and electric vehicle management, was also discussed. The common thread running through this was that our low carbon energy future will run on a decentralised and highly connected digital ecosystem rather than the well-defended, centrally controlled power grid we’ve been used to.
Returning to the main panel, we covered a range of topics from threats and recent incidents (such as Dark Energy in Ukraine and Wannacry closer to home) through to security measures and means of response. We also talked about the Government’s shifting stance from advice and incident response to regulation, with the forthcoming Networks and Information Systems (NIS) Directive.
Panelists, Peter Yapp, Deputy Director, National Cyber Security Centre (NCSC), and Barbara Vest, Director of Generation, Energy UK, both emphasised the importance of communication and collaboration across industry. Energy UK intends to complement the threat intelligence and technical advice available from the NCSC and existing groups with a more proactive energy industry position on cyber security.
Simon Lambe, Enterprise Information Security Officer, EDF Energy, whose remit includes nuclear, conventional and renewable generation assets, highlighted the importance of good engagement with senior management and the clear articulation of cyber risk to non-experts in order to justify the right security investment programme. Our fourth panelist, Jon Longstaff, Head of Cyber Security, Siemens Omnetrics, revealed that an abiding lesson from his customers was the need to get the security basics in place across your entire estate, before focusing further effort on your most critical assets according to assessed risk. Even the most sophisticated attacks tend to get a foothold through simple mistakes.
I left the day reflecting that there is more to be done to protect today’s energy system in a dangerous world, let alone tomorrow’s lower carbon, digital energy system.
However, I am greatly encouraged that the UK energy industry and Government seem aware and alive to these challenges.