Defending critical operational data from malicious cyber attacks

Originally published by Utility Week on 4th May at https://utilityweek.co.uk/defe...

Cyber-attacks targeting critical energy infrastructure, such as electricity transmission and distribution systems are becoming ever more prevalent and occur when the attacker can maliciously penetrate the Operational Technology (OT) network to disrupt the physical operation of assets.

The examples are many, ranging from the attacks on the Ukrainian power grids back in 2010, more recent attacks on several Southern European power generation companies in 2020 and in 2021, the high-profile ransomware attack in the US against Colonial Pipeline disrupting gasoline supplies to the whole of the east coast.

The attack vector is increasingly the operational data itself, because when this can be manipulated by the hacker they can ‘hide’ the true state of the asset from the operator, leaving the attacker undetected and free to cause damage. While devastating cyber-attacks, like the Ukrainian and Colonial Pipeline examples, are still relatively rare, they are now becoming more prevalent and the impact of even a single incident could be catastrophic to customers and the wider economy.

What is clear from these and other attacks, some of which have not been made public, is that industry regulators and operators are becoming aware that they no longer fully understand the security risks surrounding our most critical national infrastructure and their OT environments.

OT can encompass a large variety of technology, hardware, and software where the common denominator is in extracting value from OT-enabled operations data. Data is the link and interface between operators and decisions makers, and therefore ensuring data is of high availability and has the necessary integrity is crucial in operating critical energy infrastructure.

The Americans have certainly upped their game since the Colonial Pipelines attack where the Biden administration ordered that critical infrastructure owners and operators must conduct cyber-security assessments, and for those found non-compliant could face fines starting at $7,000 a day.

There are no such directives or fines imposed here in the United Kingdom, but the likelihood is that there soon will be, because if an attack on critical energy infrastructure can happen in the US it undoubtedly could happen here. Indeed, Russia’s attack on Ukraine, which has included cyber-attacks on those actively supporting the war effort or seeking to join NATO, only serves to underline the urgency to review our cyber-security measures.

We believe that our critical UK energy infrastructure is currently more exposed to cyber-attack than ever before, and nuclear power plants, offshore wind farms and energy networks have OT vulnerabilities that can be exploited. The danger of cyber-attack in the energy sector is real and present, but we can put up a robust defence if we make cyber-security an integral part of critical OT systems and data integration.

For further information, click here.