The energy industry’s surprising security weakness

• 3 years ago (2021-02-10)
• Junior Isles

Cyber security 8

---

Steve Green , Regional Sales Manager UK at Genetec

Energy companies have a litany of day-to-day operating challenges to contend with, from net zero goals, to rapid technological advancement driving competition in the sector. However, moving into 2021, organisations must make security more central to operations, or the consequences could prove dire. This is because all too often, many public facing utility services have cabinets on high streets and power cables that are only secured by lock and key – leaving them vulnerable. But why is security in the utilities sector so complex, and what dangers do these commonplace pieces of infrastructure really pose?

What’s the problem?

Spread out, disparate, pieces of infrastructure and facilities means it can be difficult for energy providers, installers or distributers to maintain effective operations. Maintenance is a prime example, as many outsource asset management to third parties, requiring them to look after valuable equipment which is located across vast swathes of land. However, this approach often leaves no audit trail of who has looked at what equipment, and few can prove the work has actually been completed; as other than a physical lock, there’s usually no form of access control or digital record. Furthermore, physical keys also present other difficulties, as the master key is usually stored at head office, requiring those who need access to pick it up and return it afterwards – adding travel time to billing. The alternative, cutting multiple keys then increases risk, as who knows whose hands a seemingly innocuous yet vital piece of security infrastructure could fall into. A new approach is required.

It’s time to digitise security for energy infrastructure. A digital key would allow an engineer to go directly to a site, and could be provided with a bespoke, temporary access to the necessary infrastructure. This provides evidence of their attendance, plus an accurate log of for how long – which streamlines the billing process, and more importantly, ensures an audit trail. Access control has long been a key requirement to manage to entryways of buildings, but now it needs to be translated into all critical national infrastructure in all its forms, and not just badging in at larger facilities.

Cyber considerations

Of course, digitisation is a great driver of efficiency. But adding any digital elements to an entirely manual process increases the cyber-attack surface; as once you add in connections to the network, there is suddenly another entry-point to attack. Given the rise of cyberattacks in 2020, energy companies need to be well prepared for security incidents of any kind. Needless to say, a successful attack on an energy company has potential for wide-ranging disruption.

The severity of these attacks has the potential to escalate with the advent of 5G and other innovative technologies, due to increasing connections into the network. In a B2C space, smart speakers and smart meters could be hacked; so, whilst these new technologies will no doubt create a vastly more interconnected world, with more connections to wider networks, the resulting convergence of physical and cyber threats means that any minor vulnerability could give hackers a back door to your organisation’s network.

This isn’t a hypothetical scenario either, over the last few years we have increasingly seen incidents of sophisticated cyberattacks, that managed to cause far-reaching, real-word, damage. This is partly a result  of foreign nations increasingly backing cyber espionage . Better funded hackers means they have the capability to target organisations of any size. For instance, it was only earlier this year that hackers managed to infiltrate a company within the UK electricity industry . Similarly, we’ve seen countless examples around the world, from Ukraine’s power grid in 2015, to the more recent attack on India’s Kudankulam nuclear power plant – which could’ve been a monumentally damaging event, if the hackers had decided to target the plant’s critical safety measures. It has even been suggested that the colossal oil spill off the coast of Mauritius was caused by hackers interfering with the tanker’s navigation system.

Admittedly, comparing power cable security to high profile attacks on critical national infrastructure, may seem like an overstatement - but the threat is very real. These events are characteristic of security considerations in the sector as a whole – when exploited, small vulnerabilities can have big repercussions.

Looking ahead

The energy industry continues to make great strides to rapidly modernise and adopt “smarter infrastructure”. But the same considerations must also be made for upgrading security, as the modern threatscape is constantly evolving and diversifying – organisations must be prepared. Furthermore, the arrival of COVID has affected more than just security, as the consequent drive to remote working has meant that, overnight, commercial and domestic power provision has been turned on its head. As a result, the demands on the power grid have never been more unpredictable, due to the uneven split between people working from home or traveling to the office (when not locked down)

To avoid widespread disruption, protecting unsecured assets has a simple, and relatively inexpensive solution. By deploying technologies, like access control and access management systems, organisations can ensure they increase their resilience, improve accountability and have better visibility across operations.