Protecting energy networks from cyberattacks

In an age of digital connectivity, energy networks are increasingly vulnerable to crippling cyberattacks by criminals, rogue hackers or hostile states

For most of us, cybersecurity might call to mind one-off irritating computer bugs, struggling to remember online passwords or a teen hacker operating out of a suburban bedroom. For governments and corporations, however, understanding how to prevent and counter attacks on computer systems and data is now key to national, and international, security.

Attacks are becoming more frequent and more costly on both an economic and human scale. The May 2017 WannaCry attack infected computer systems in 150 countries, exposing the online security weaknesses of major institutions around the globe. In the UK, the health service was hit, with an estimated 19,494 appointments cancelled and ambulances diverted, according to NHS England.

The energy industry did not escape harm either. Indian power utility West Bengal State Electricity Distribution Company, which has 17.8 million energy customers, found the malicious software had spread across its computers, leaving employees unable to access company data unless a ransom was paid.

Now cybersecurity is the top security issue for most energy companies, together with the economy and national disasters

Leo Simonovich, global head of cybersecurity at Europe’s biggest electronics business Siemens, says the effect of WannaCry on the global energy industry has been profound. “It brought cybersecurity to the boardroom level,” he says. “Now it’s the top security issue for most energy companies, together with the economy and national disasters.”

Mr Simonovich adds that in 2018 energy looks set to be the most attacked infrastructure sector. But what makes the industry a particular focus for hackers? He posits that in both developed and developing countries, it is an industry with ageing, yet still essential, power plants, pipelines, substations, storage units and transmission cables. Many of these are “assets that have not been maintained, patched and hardened” to protect against digital threats.

Cyberattacks on energy assets can also be used as an act of warfare. Power is needed by everyone, and so attacks and subsequent energy outages can bring entire cities to their knees. In Ukraine, for example, a December 2016 cyberattack on the power grid saw parts of the capital Kiev experience a blackout.

Mr Simonovich says the scale and complexity of cybersecurity threats make it hard for energy companies to get to grips with the issue. “Many of them want to address it; they just don’t know where to start,” he says. “We also have a global shortage of skills to address the new internet of things (IoT) environment.”

The IoT is of great significance to the energy sector, and a key reason why energy companies and citizens alike must take cybersecurity seriously. Simply put, the IoT refers to the vast web of physical objects with built-in internet and electronic connectivity, which can send and receive data.

The energy industry is a major element of the IoT ecosystem. Globally, utilities are expected to spend $73 billion on the IoT in 2018, according to the International Data Corporation, with spending focused on smart grids for electricity, gas and water, which use digital data to react to fluctuations in usage and demand. Within homes, smart devices and apps, which allow a user to control their home’s energy consumption via the internet, are also expected to multiply.

So how do we prevent attacks on such energy infrastructure, both large and small? Governments and industry need to work together to create some basic international cybersecurity standards, says Eva Schulz-Kamm, Siemens’ head of global government affairs. Some countries, such as Canada, are already drafting fresh legislation and, as of May 2018, the UK government will fine organisations up to £17 million if they do not have effective cybersecurity measures in place.

Ms Schulz-Kamm wants governments to go further, and is lobbying for the European Commission to work with the United States and other superpowers to create global cybersecurity standards. “If we set out basic international rules, companies will begin to innovate in cybersecurity to meet them,” she says. “These businesses will start to compete with each other, creating a whole industry and jobs. It will help build trust in the internet of things, too.”

Cybersecurity must evolve and adapt as quickly as the malicious software it is supposed to prevent. But when it comes to securing the data and online operations of government, businesses and citizens, it seems there is still plenty of work to do in 2018. “If there are still vulnerabilities in cybersecurity where a 12 year old could feasibly disrupt a power plant, there’s something wrong,” Ms Schulz-Kamm concludes.