This month the Government issued a warning to Britain’s most critical industries warning them to boost their cyber security capabilities or face hefty fines. These fines could be up to £17 million for those that have systems deemed not effective.
The sectors that are deemed essential services include transport, water, health, digital infrastructure and of course energy. The new National Cyber Security Centre (NCSC) guidance focuses on 14 key principles that exist within the EU Network and Innovation Systems directive that the UK must transpose into UK law by 2018. Theses in turn fall into four objectives: managing security risk, defending systems against cyber-attack, detecting cyber security events and minimising the impact of cyber security.
The worldwide WannaCry attack last year was the first-time cyber security had really entered the public’s consciousness. The only people talking about the dangers before then as far as the public were concerned were think tank types and those with a background in cyber security.
According to the National Audit Office, the attack led to disruption in at least 34% of NHS trusts in England. As a result, in five areas patients had to travel further to accident and emergency departments, which in extreme circumstances could have had deadly consequences. The NAO also assessed that the attack could have caused further disruption if a cyber researcher had not by chance stumbled across and activated a “kill-switch.”
A similar attack on energy systems, if successful, could be equally or more devastating. Just one month later hackers breached at least a dozen US power plants, including the Wolf Creek nuclear facility in Kansas. A similar attack known as Stuxnet targeted the Iranian nuclear programme in 2010, which caused 1,000 machines that were enriching uranium to physically degrade.
This was the first major military grade cyber-attack, at least in the public knowledge, to have occurred and which is thought to have been carried out by the US or Israel in an attempt to disrupt the Iranian nuclear programme. The important thing to remember however, is that in a cyber world, no one is immune or untargeted and it only takes at best one lone attacker with a vendetta, or at worst an organised military cyber taskforce with the backing of state finances and apparatus.
The energy sector’s complexity is not only a strength, but also its biggest weakness. As the internet of things grows ever broader and the convergence of information technology and operational technology increases, the greater the scope for back doors into systems are. The vast supply chain for projects and systems in the energy sectors mean that there is an array of third parties involved, and for a hacker to gain access all they need is to find a weakness in one of them, one chink in the armour.
That’s not to suggest that it is Armageddon for us all, instead it is a welcome development that Government and the NCSC are looking to stringently enforce guidelines and good practice across these sectors, with punitive measures. If there is a major cyber-attack on the UK’s energy systems, it will likely be that there has been one small, medium or large party that is part of an immensely complex supply chain that has not bothered to get the basics right.