Cyber attacks against energy companies have risen massively, with the industry a prime target for attackers
Keeping the lights on is becoming an increasingly difficult task nowadays, according to a new World Energy Council report, which warned of a “massive increase” in the number of successful cyber attacks in the past year against energy firms.
Ensuring the defence of the energy sector is of course in the national interest. This is evidenced by the recent delay (since resolved) of the Hinkley Point nuclear project, over security concerns about China’s involvement in the project.
The energy sector is therefore an attractive target for cyber-attacks. In a worst case scenario a cyber attack could potentially result in infrastructure shut down, which in turn could result in economic and financial disruption, or even loss of life and massive environmental damage (in the case of nuclear reactor meltdown).
Other researchers have previously warned that security weaknesses in industrial control systems could allow hackers to create cataclysmic failures in infrastructure. This report however has identified a number of key finding that the energy industry must take note of.
“Cyber threats are among top issues keeping energy leaders awake at night in Europe and North America,” said Christoph Frei, Secretary General, World Energy Council. “Over the past three years, we have seen a rapid change from zero awareness to headline presence. As a result, more than 30 countries have put in place ambitious cyber plans and strategies, considering cyber threats as a persistent risk to their economy.
“What makes cyber threats so dangerous is that they can go unnoticed until the real damage is clear, from stolen data over power outages to destruction of physical assets and great financial loss. Over the coming years we expect cyber risks to increase further and change the way we think about integrated infrastructure and supply chain management.”
Energy firms are encouraged to build up their resilience to cyber risk in order to safeguard energy security. The Internet and increased digitisation via devices such as smart meters, does create efficiencies the report found, but also increases the scope of vulnerabilities.
Technology vendors are being encouraged to build in extra security and resilience of energy infrastructure, as supervisory control and data acquisition (SCADA) controls can increase the vulnerability of energy operations to attack.
The good news is that energy firms are increasingly recognising that cyber threats are a core risk, but there is still insufficient information sharing among industry members and across sectors on cyber experiences. The report encourages improved information sharing within the sector and between public and private stakeholders. That said, human error is very often a key factor in the success of cyber-attacks, due to insufficient awareness of cyber risks among staff.
Another key finding is that energy firms should consider cyber insurance as a way for them to offset potential financial losses from a cyber-attack. But the insurance industry has to play its part as well and continue to develop tools to address the potentially catastrophic losses and the complexity of cyber risk.
“The energy sector must take a systemic approach and assess cyber risks across the entire energy supply chain, improve the protection of energy systems and limit any possible domino effects that might be caused by a failure in one element of the value chain,” said Jeroen van der Veer, Executive Chair of the study. “Nevertheless, measures that require supply chain compliance or cross-border cooperation are more difficult to implement, and require increased cross-sector cooperation.”
Earlier this year a report from carried out by Cambridge Centre for Risk Studies in association with Lockheed Martin, warned that an attack on the power grid and water system could cost the country up to £442bn over five years, equivalent to around 2.3 percent of the nation’s total GDP.
And in the summer new malware was discovered by FireEye Labs that targets industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Prior to that in April a German nuclear power plant in Bavaria admitted that its systems were riddled with malware, and the plant was shut down as a precaution.
In 2015 a hacker managed to hack into the systems of a nuclear power plant in South Korea. A computer worm was later discovered in a device connected to the control system, but the plant operator insisted that the breach had not reached the reactor controls itself.
The hacker later posted files from the hack online, and included a demand for money.
A German steelworks also suffered “massive damage” after a cyber attack on its computer network in late 2014.
Are you a security pro? Try our quiz!