How the UK energy system needs to prepare for cyber attacks
It’s a scene from a movie – one brilliant computer hacker is working against the clock to break into a secret government network. She types, sweating, as the reflected image of the screen glows green in her glasses, before a triumphal: “We’re in – we can shut the city down”.
Fanciful? Certainly, but as our energy and information networks become increasingly connected, so the threat of the architecture being accessed by outside elements rises. Elements that in some cases could prove highly dangerous.
Energy systems are a growing concern for cyber security experts – countries are rolling out more and more devices such as smart meters and demand response controls that need to communicate with each other to manage changing flows of electricity, improve efficiency, and curb carbon emissions. In doing so, they are sweeping away the previously isolated energy systems that were effectively tamper-proof unless someone succeeded in breaking into the control room.
This is a worry for Michael John, a senior cyber security expert at the European Network for Cyber Security (ENCS), a not for profit organisation providing advice to utilities and managers of other critical infrastructure.
“Every expert is saying if we continue down this road, something bad will happen,” he says. “It might be in six months, it might be in two years – but the systems being deployed don’t have the required protection mechanisms, so there is a possibility for an attack.”
The potential for large cyber-attacks on the UK energy systems is fairly high, as the House of Lords Science and Technology Committee noted earlier this year. James Arbuthnot, an MP who chaired the Defense Select Committee until last year, said in January: “Our National Grid is coming under cyber-attack not just day-by-day but minute-by-minute.”
Although the country has an £860m National Cyber Security Programme to deal with the threat to all its infrastructure, the nationwide roll out of 53 million smart meters needs to be handled carefully, cyber security experts counsel.
But John is concerned that alongside poorly protected new devices, manufacturers are continuing to sell older products designed for isolated networks that do not take account of the threat from cyber-attacks.
Meanwhile, vulnerabilities to the dangerous Stuxnet computer worm have been found in power plants in the UK – and around the world – that could allow hackers to mount a variety of attacks, although John says the worm is the “tip of the iceberg” and less well known threats are equally dangerous.
The possibility of outside forces tampering with the whole power grid is “not impossible”, according to John, albeit the risk remains unlikely as such an attack would require a high level of knowledge of energy security protocols. However, he says mounting an attack is getting easier every day because of the large amount of publicly available information and the rise of automated tools.
“My fear is that attacks will become even simpler and easier in the future and the possibility for someone who isn’t an expert but has a good understanding of how to mount an attack will, using available tools, be able to mount an attack that would in theory be able to control a transformer station,” John says. “A motivated hobbyist would be able to cause disruption if they have the right knowledge.”
So what can utilities do to protect themselves? Well, the picture appears pretty daunting. “There is always a race between the defender and the attacker and unfortunately it’s very asymmetric – attacking is so much easier than defending in the security business,” John warns. “Security mechanisms do not get broken in a day or two, but they really erode over time – it’s very, very hard to stay ahead in this game.”
Companies can however ensure that when they procure a product it has good security, that their architecture is sound, that they monitor devices when deployed to fend off new threats, and above all employ smart people.
John says this last factor cannot be overplayed. He tells a story of a German utility that hired a penetration tester to sound out its security. The tester dropped a USB stick in the car park, which an employee picked up and innocently plugged into their laptop. “He then had access to the corporate network, from there he went to the control station and if he then had expert knowledge he could have happily started switching stations in the field,” John says.
He also alludes to another unhappy example – the hacking of French public service broadcaster TV5Monde by individuals claiming to belong to Islamic State earlier this month. One theory speculates that when a reporter interviewed his colleague on air, the passwords for their Twitter and Yahoo accounts were clearly visible in the background.
Neither of these examples are “some sort of overly complicated nation-state level attack, but they’re the kind of thing you have to be thinking about,” John says.
He rejects the possibility of shifting the grid back towards isolated systems, but not because even these can now be breached by extremely advanced mechanisms that use laptop microphones and speakers to bridge the gap between the internet and internal systems. Simply put, to have the integration needed for a smart grid and the massive environmental and commercial benefits that go with it, you have to have communication.
“If you go back to ‘air gaps’, you won’t be able to realise the smart grid,” John says. “I’m acknowledging the need for a smart grid because we don’t have a better option to tackle the energy challenges of the future – so we need interconnected devices, we need communicating devices and we need to make sure it is secure.”
And that means no more picking up USB sticks in the car park.