Protecting UK energy and utility companies from cyber and distributed denial of service (DDoS) attacks is a top priority for the government. Organizations responsible for critical national infrastructure have become a prime target for denial-of-service events; a DDoS attack is designed to overwhelm networks with bogus traffic and has the potential to cause massive utility outages and service disruption.
Indeed, a sustained failure of the electricity grid has the potential to provoke devastating outcomes. From transportation, to health and human and services, to food security, virtually every infrastructure is dependent on the grid.
Cyberattacks in industrial control systems
A recent international study, conducted by Accenture and surveying 100 utility executives from 20 different countries shows that, although successful cyberattacks are relatively “rare”, they still pose a serious concern:
- 57 % of utility executives are concerned that a cyberattack could interrupt the supply of electric power.
- 63% think their country faces at least a moderate risk of having its electricity supply interrupted by a cyberattack at some point in the next five years.
- Only 39 % claim they “maintain resilience readiness” — meaning that well over half of utility leaders think their organizations may have difficulty rebounding from an event such as a DDoS attack
As far back as 2013, security researchers were identifying significant vulnerabilities in power grids that allowed a remote hacker to seize control of industrial control systems, while Ukraine became one of the first countries to see the physical results of such attacks in 2016, when a blackout across western Ukraine was caused by a malware called “BlackEnergy”.
In July last year, leaked reports from the UK’s National Cyber Security Centre (NCSC) suggested that hackers had already penetrated the UK’s energy supply chain, stating:
“We are aware of reports of malicious cyber-activity targeting the energy sector around the globe … We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.”
“As we have seen from numerous cyber security incidents these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK’s infrastructure, economy, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.”
National Cyber Security Guidance (as at June 2019)
The threat of IoT in the utilities sector
The connectivity brought about by the rise in Internet of Things (IoT) has improved how power distribution is managed but comes at a significant cost. IoT is enabling a more flexible and efficient energy grid, but as operating systems have become increasingly connected to the Internet, the potential attack surface has also increased.
Distribution utilities are increasingly exposed by the number of web-connected domestic devices – such as connected home hubs, solar panels and meters. The industry has an ambitious target for smart meters to be installed in every home by the end of 2020 – in order to automate meter readings.
Connected devices can be recruited to form a botnet, and then utilised to launch a malicious denial of service attack. DDoS attacks represent a serious challenge for the sector – even a short period of downtime can significantly impact the delivery of essential services. Furthermore, a sustained failure of the energy grid could also have devastating consequences for other vital infrastructure services dependent on it.
Despite the significant risks involved, there seems to be a culture of complacency within some critical national infrastructure (CNI) organizations. This is likely as a result of the way in which public utilities were set up – with industrial control systems segregated from other computers and network devices, and therefore considered immune from cyber and DDoS attacks.
But it’s not all bad news. Distribution businesses are well-versed at delivering reliable power in the face of storms, asset failures and accidents. Building cybersecurity resilience at the heart of the smart grid is now the biggest challenge facing operators of essential services.
Infrastructure Service Provider fines to be imposed
The UK government plans to issue fines of up to £17m to infrastructure service providers, including public utility companies, that fail to protect against cyberattacks on their networks.
It is also clear that under the EU NIS Directive, ‘Operators of Essential Services’ have a responsibility to drive compliance into their supply chain. The guidance states that there should be confidence that the security principles are met, regardless of whether an organisation or third party delivers the service.
The EU Directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving Member States 21 months to embed the Directive into their respective national laws. The government laid new regulations on the Security of Network and Information Systems in the Houses of Parliament on 20th April 2018, and the Directive came into force on 10th May 2018.
It is a welcome step to see the UK Government prioritising the issue of cybersecurity resilience amongst the country’s providers of essential services and their supply chain, but how exactly should this be achieved?
We need first to examine the nature of the threat.
Why are DDoS attacks dangerous for public utility and energy companies?
Many organizations mistakenly believe that the most damaging DDoS attacks are purely volumetric assaults. However, DDoS threats are constantly evolving, and many hackers now use them as a smokescreen to launch a more sophisticated attack. Application-layer and DNS based DDoS attacks can also cause significant outages and may go undetected by security staff and mitigation devices.
Stealth DDoS attacks may be in small in volume but can be designed to knock a firewall or Intrusion Prevention System (IPS) offline, paving the way for hackers to infiltrate a network with malware or ex-filtrate corporate data. Given that most companies now take more than 190 days to detect a data breach on their networks, this can give attackers a significant head-start for their exploits.
What can critical national infrastructure (CNI) companies do to protect themselves from DDoS attacks?
To keep up with the growing sophistication of cyberattacks, it’s essential that utility and energy companies maintain a comprehensive visibility across their network and deploy detection, mitigation, monitoring and test solutions. Within energy organizations, the responsibility for mitigating DDoS attacks has often fallen to networks teams, rather than IT security.
Due to the trend for DDoS attacks to be launched simultaneously with advanced persistent threats (APTs), zero-day attacks and ransomware, it is vital that the CNI network and IT teams work together to stay ahead of any threats. Organizations at any point in the energy supply chain need to take a serious look at their own operating model and risk profile, and take appropriate measures as laid down in the NIST cybersecurity framework.
The technology and associated professional services exist today to help utility and energy sector businesses stay ahead of emerging cyber and DDoS threats. CNI organizations should be deploying always-on DDoS mitigation systems that are regularly tested with attack simulations to ensure complete resilience.
We recommend that organizations refer to the NCSC guidance on DDoS Testing and Monitoring as a great first step. We also recommend that interested parties read our comprehensive case study on a DDoS testing project we conducted for a major public utilities organization.