The National Grid and other critical national infrastructure have been facing persistent cyber-attacks for a while. Along with the GCHQ and other national agencies, energy firms have been fighting “ongoing, constant, relentless wars” with hackers who are often state-sponsored.
Despite energy firms' concerted efforts, there is a fear that hackers will eventually get past the gates and shut down critical national infrastructure, thereby affecting millions of lives.
“There are, at National Grid, people of very high quality who recognize the risks that these attacks pose, and who are fighting them off, but we can’t expect them to win forever,” said James Arbuthnot, a member of the UK Parliament's Defense Select Committee in 2015.
Earlier this year, a Kaspersky Labs research revealed that as many as 40% of all industrial control systems (ICS) and critical infrastructure faced at least one cyber-attack in the last six months of 2016. The report also stated that while 17% of industrial computers were targeted by July of last year, the percentage grew to 24% by December.
"Exploitation of software vulnerabilities in enterprise industrial networks, particularly critical infrastructure objects, can lead to disastrous consequences. Finding and eliminating these vulnerabilities, in addition to developing more advanced industrial solutions and specialized security tools, is a top-priority task for security experts," noted researchers at Kaspersky Labs.
A recent study by PricewaterhouseCoopers revealed that as many as 65% of all energy firms in the UK are significantly concerned about cyber risks. Over half of all energy firms are also worried that their 'client data isn’t handled securely enough by their energy supplier'.
A survey of 500 UK businesses conducted by the firm also revealed that if cyber-attacks take place, 57% of businesses and 70% of industries would switch supplier, thereby severely impacting the energy sector. A large number of industries are also considering switching from conventional to smart energy technology, thereby placing an additional responsibility on energy firms to strengthen their cyber-security protocols.
The concerns expressed by energy firms over cyber risks come at a time when a major ransomware attack has succeeded in bringing down the Ukrainian power grid, the country's central bank, two postal services as well as aircraft manufacturer Antonov. The ransomware has also affected operations at Danish shipping company Maersk, Russian oil giant Rosneft, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
Aside from applying a layer of encryption on target files, Petya also encrypts NTFS structure before crashing a computer, thus rendering the computer unusable until the $300 ransom is paid. The ransomware attack has again proved that cyber-security protocols in today's infrastructure companies aren't yet capable of taking on malware variants that are growing more powerful with the passage of time.
Weiland Alge, Barracuda’s Vice President and General Manager EMEA, feels that while the National Grid can be protected from hackers by implementing security by architecture like firewalls as well as via significant investments from councils, the widespread introduction of IoT energy technology will bring in more complications in the coming days.
"In many ways, this is an exciting move towards a more efficient and flexible way of doing things: instead of regular power distribution based on average required supply, energy companies will be able to analyse and predict power supply far more effectively. However, when IoT devices speak to millions of respective residential WiFi hotspots, those connections must be secure.
"If they’re not, cyber criminals can target many houses at the same time. By manipulating the energy supply at an unexpected time, they could wreak havoc with the national grid, potentially causing sustained and widespread infrastructural problems," he said.
Alge adds that new IoT devices can be kept secure by design unlike legacy devices which are being protected using firewalls. If energy firms take IoT security seriously, the industry will avoid falling victim to massive malware and ransomware attacks like the recent WannaCry ransomware episode.