According to the UK government’s latest survey on cybersecurity breaches, almost half of businesses experienced a breach or attack in the last year.
For three-quarters of the businesses cybersecurity is reported as a high priority for their senior management but fewer than one in three have a formal cybersecurity policy in place.
While these figures are neither necessarily representative of businesses in Europe nor the utility sector (as a sub-sector of business), they nevertheless point to some of the needs and challenges for cybersecurity in an increasingly smarter and more connected world.
Attacks are not going away but increasing in number and the need to address them is never more critical.
“Threats are becoming more diverse, the numbers of threat actors are increasing and they are becoming more professional,” says Anjos Nijk, Managing Director of the European Network for Cybersecurity (ENCS), a member-driven organisation focussed on cybersecurity for energy grids and infrastructure.
Europe’s cybersecurity panorama
In an interview with Engerati, Nijk pointed out some disturbing trends in cybersecurity, such as the ready availability on the web of malware which can be used or adapted to launch attacks and the growing presence of nation states as attackers, with the greater sophistication these can bring.
“There appears to be a continuous development, but most attacks so far are low threshold with little risk for the attackers and few appear to be specifically targeted,” says Nijk. “But they can have unforeseen consequences.”
Recent examples he mentions are the WannaCry and Petya ransomwares which were widely targeted to computers running Microsoft Windows in 2016 and 2017, and the variant of the latter, NonPetya, which was more narrowly sector targeted and infected utilities among other service providers in Ukraine.
Nijk says that these events have led to a much wider awareness of the need for cybersecurity. At the same time the advent of the European Union’s Network and Information Systems (NIS) Directive, which was to be transposed into national laws by May 2018, also has helped to elevate awareness of cybersecurity. This directive requires, inter alia, that owners of critical infrastructure, such as utilities, are required to put appropriate cybersecurity measures in place and to report on any attacks so that these can then be shared among interested parties within Europe.
There also has been implementation of security standards such as the ISO 27000 and IEC 62443 series.
“These are all meaningful things that have been put in place,” he says, adding that further developments are coming, such as the cybersecurity act and a network code for cybersecurity that form part of the Clean Energy Package.
The activities of the ENCS are multi-faceted, and besides serving as a clearing house to share information and knowledge among members, these include testing and training as well as research both in consortia in Europe-wide projects supported under the FP7 and Horizon 2020 programmes and in collaboration with individual members.
As a barometer of priorities for cybersecurity within Europe, Nijk says there are five top issues that ENCS is currently focussing on.
One of these is risk quantification for OT systems and critical infrastructures, as the current methods and data are insufficient to make well founded decisions on investments, he explains.
Another is supply chain security, including creating the right requirements and the question of whether and how to introduce certification for suppliers.
A third is future-proof architectures with key issues within this being the legacy devices in the networks, which were installed in the pre-security era as well as today’s devices which will be in the networks for years to come. “Patching is an example of the challenge in this domain and unlike a computer which can be patched unnoticed, for an OT system the process is complicated and even dangerous as pinging it could lead to collapse.”
Fourth is security monitoring, including the intrusion detection and other systems that are required to detect activity in the network or malicious software.
Last but not least is the cyber skills gap. “This is a big issue as the levels of skills required are diverse and are changing rapidly with the emerging technologies. Operators are struggling with what is needed within their organisations and the universities also need to know what is required from them.”
“It’s all about creating practical solutions that can be used by the members,” Nijk comments on these activities.
Recommendations for utilities
While there have been the advances at the policy and regulatory levels, at a more practical level, a lot still needs to be done to advance cybersecurity, Nijk says. For example, within organisations there needs to be an understanding of roles and the right skillsets need to be developed.
He says that the two keys for utilities are to learn and to be prepared. “This requires raising awareness and training and implementing the learnings. But it is also about finding ways as an industry to collaborate more effectively to share knowledge of attacks and to resolve the vulnerabilities. Cybersecurity requires a lot of effort, and this is what we aim to do with our members and with the broader industry through organisations such as EDSO for Smart Grids and ENTSO-E.”