Cyber security and the energy sector – risks and consequences

The last few years have seen a number of attempted attacks on electricity grids and energy production plants. Some successful, many others foiled. It is naïve to think that these attempts will do anything other than increase in numbers. Though there is an increased awareness around the issue, the pace of developing measures to reduce vulnerability is too slow. As technology gets more sophisticated, so do cybercriminals. 

The Norwegian health care sector, nuclear refinement plants, the AshleyMadison online cheating site, shipping companies in Denmark, and American investment banks are but a few companies who have fallen victim to cybercrime. Targeted attacks are on the increase and literally no sector is safe. Consequences of cybercrime vary greatly, from private or company information being leaked and equipment being damaged, to, in the worst-case scenario; loss of life. 

One sector where the stakes are high in the event of an attack is the energy sector. With societies being increasingly dependent on and used to 24/7 electricity access, they are also extremely vulnerable to outages. The ripple effects of a lasting outage could be catastrophical. 

Few meals from anarchy

Earlier this year, British newspapers reported that Britain would only be a few meals from anarchy in the event of a power supply cut. The article, based on studies by UK security services, warned that a major, long-lasting outage would eventually lead to loss of water, fuel, and food, with many critical services being directly affected. Without access to basic necessities such as food and water, large-scale disorder is a definite possibility.

“Every year, we are seeing an increase in the number of attacks, in the energy sector and in general. Additionally, we are seeing more and more high-profile attacks,” says Powel’s Chief of Cyber Security Mike Loginov. “In terms of the energy sector, the most well-known attack to date was the power outage in the Ukraine in 2015, which affected around 225,000 people who were without electricity for up to six hours.” 

Digitalisation has revolutionised many sectors, including the energy sector. However, it has also caused it to become vulnerable, creating a number of entry points for a cyber attacker wanting to cause damage. Digital sensors, cloud services, smart meters and IoT have simultaneously created enormous opportunities and challenges that we cannot afford to ignore. 

The attack on the Ukraine showed vulnerabilities that other utilities should take note of. Still, as the attack is widely believed to be a nation-state attack caused by the ongoing situation between the Ukraine and Russia, it is easy for utilities not involved in conflicts to ask “Could this really happen to me?” 

Who is at risk? 

“The simple answer to this is yes, it could absolutely happen to you,” says Loginov. “Hackers come in many shapes and sizes, from nation states dedicated to national security, to hacktivists committed to a particular cause. Additionally, you also have various criminals and terrorists, each individual or group with their own motives and agenda for committing crime.” 

Loginov, who is a certified and award-winning CISO (Chief Information Security Officer) has been working for Powel since April 2017 and has decades of experience. He was recently named ACQ5 Global Awards UK Gamechanger of the Year 2018 and CEO Management Magazine Management Consultant of the Year 2018. He is also heading up not-for-profit-organisation IOTSA, International Operational Technology Security Association, which Powel is a sponsor of. 

He is of course correct about the threat level. In Norway both the PST (the Norwegian Police Security Service) and NSM (the Norwegian National Security Authority) agree that critical infrastructure such as the energy sector could be targets both for espionage and attacks. 

The scale of the problem in the Norwegian energy sector 

Although there have not been any known attacks of note as of yet, a report published by NVE, The Norwegian Water Resources and Energy Directorate, shows that many energy companies have already been victims of breaches or attacks. 

The report, published in December 2017, investigated digital security in the Norwegian energy sector and gives an overview of incidents in the period between June 2016 and June 2017. Based on a voluntary survey sent to Norwegian energy businesses, the report is based on the answers of the respondents and gives an insight into the state of affairs. 

The report shows that the sector is exposed to both unwanted IT security breaches and cyberattacks. Close to 70% of respondents reported that they had experienced undesired IT security issues, whilst 59% said they have had cases of breaches that they deemed serious. 

“Cyber attackers are quick to take advantage of changes that arise from a globalised and digitalised world and you have no choice but to try and stay one step ahead,” says Loginov. “Making sure that you train and update your employees and your systems is highly important.”

Powel Security Services can assist you all aspects of security and help you stay safe and secure. Get in touch with us to find out more about our services.