It is just months since international infrastructure expert Lord Harris of Haringey was warning in these pages of the vulnerability of power networks to cyber-attack.
As if on cue, renewable energy giant Norsk Hydro suffered a temporary dent to its share price and operations after a ransomware assault in March.
In fact, the attack impacted the firm’s aluminium and extrusion processes most and management switched to manual production where necessary. Share price drops were also rectified speedily.
With digital systems designed to monitor our power supplies, traffic flows and personal data, there is a looming feeling that technology is not adequately accompanied by measures to mitigate the risk of attack
Nick Boughton, digital lead at systems integrator, Boulting Technology
But there were stoppages, its worldwide network was down and factories isolated. Reuters also reported a preliminary estimate of the impact at between 300-350 million Norwegian krone (£27-31 million).
Nick Boughton, digital lead at systems integrator Boulting Technology, observes that uncertainty is intrinsic to the process of digitalisation.
“With digital systems designed to monitor our power supplies, traffic flows and personal data, there is a looming feeling that technology is not adequately accompanied by measures to mitigate the risk of attack,“ he says.
Referencing comment in the recent World Economic Forum Global Risk Report 2019, to the effect that the “potential vulnerability of critical technological infrastructure has increasingly become a national security concern”, he points out that increased connectivity provides means potentially for hackers ‘to gain access into some of society’s most vital resources”.
While digitalisation may provide the context, the problem is often down to humans rather than systems or tech. Boughton points to the admission by the US government last year that hackers had gained remote access to the control rooms of utility companies. While command centre computers were not directly linked to the web, the attackers used ‘spear-fishing’ emails to make staff visit fake sites, allowing criminals to steal credentials of corporate networks of suppliers and get access.
In January, Deloitte polled 500 C-suite executives overseeing cyber security for companies with annual revenue in excess of US$500 million for its Future of Cyber Survey 2019. Asked for their top three concerns regarding cyber threats, while data integrity scored 35% and 31% chose technical vulnerabilities, some 32% cited “actions of well-meaning employees”.
“A USB drive used to apply updates and patches to the computer systems could introduce malware,” points out Glenn Warwick, cyber security consultant at Bridewell Consulting [pictured].
“In addition, systems may need to be checked and maintained by third-party engineers who do this by connecting their laptops to the industrial control system (ICS). If they also use their laptop to connect to the internet, then they could inadvertently spread malware from their machine and infect the whole ICS.”
And in the manufacturing environment, he cautions, computers often run permanently under an administrator account due to the nature of industrial applications and supervisory control and data acquisition (SCADA) systems.
“If ransomware is inadvertently introduced, then it can exploit these administrator rights and quickly deliver its payload and objectives throughout the whole system.
“Companies within the manufacturing and energy industries often have both industrial control assets and Windows-based assets in excess of ten years old. This is mainly due to the complexities in upgrading them, but it can leave companies vulnerable to cybersecurity attacks, as their systems can no longer be patched or updated because of discontinued vendor support.”
While enforcing a checklist of procedures will not guarantee an absolute defence, Warwick recommends the following:
- Apply patches and updates where possible to reduce vulnerabilities
- Always use the principle of least privilege for users
- Employ a policy on the use of USB drives
- Use perimeter controls such as a firewall or DMZ to prevent access to the ICS
- Use a data diode to allow data out from the ICS but not in
- Most companies will need to run 24/7 so patch clients and servers offline
- Carry out regular back-ups so systems can be restored in the event of an attack
- Store back-ups off-site and test procedures to restore systems on a periodic basis
Market leaders such as Emerson are raising the security bar with the receipt of an industry first – in the shape of industry consortium ISA Security Compliance Institute’s (ISCI), System Security Assurance Level 1 certification for cyber-security. This was awarded for Emerson’s DeltaV distributed control system used in a variety of sectors including power.
Meanwhile, March saw the formation of the Cyber Readiness for Boards Project, jointly funded by the UK National Cyber Security Centre and the Lloyd’s Register Foundation in order to provide support to businesses.
Renew and risk
Digitalisation is an essential for energy companies to realise the twin goals of business efficiency and sustainability via renewable sources, explains Alan Binning, regional sales manager for energy software supplier COPADATA UK. Yet that introduces a greater element of risk.
“Britain’s energy grid has transformed. The integration of renewable energy means the country’s infrastructure must manage energy from various resources, creating a need for industrial automation and control systems to monitor the flow of energy.
“Connecting substations, control panels and generation assets, like individual turbines and solar panels, control systems act as the central nervous system of the grid. However, this surge of connectivity leaves the grid vulnerable.”
There is of course no turning back from the path to greater connectivity and reliance on the ‘clean and green’. Witness Shell’s very public statement of intent to muscle in on the UK domestic gas and electricity supply market and its aim of becoming the world’s biggest electricity company by circa 2030.
Despite a pop aimed at offshore wind giant Ørsted, Shell’s direction parallels one taken already by the former Dong Energy – away from fossil and towards greener energy. And, ultimately, that must be good news for those firms focused on improving grid connectivity and the efficient use of renewables.
Companies within the manufacturing and energy industries often have assets in excess of ten years old. This is mainly due to the complexities in upgrading them, but it can leave companies vulnerable to cybersecurity attacks
Glenn Warwick, cyber security consultant, Bridewell Consulting
Operations solutions provider Cyient is among these. It has embarked on a major project with Britain’s largest electricity distribution network operator, UK Power Networks.
The goal is to automate the process by which UK Power manages its upgrade works and consequent downtime through an outage planning and tracking integration portal – to the benefit of the client and the growing number of local energy generators. The aim is to deliver cost savings of more than £1 million per annum.
Cyient president of utilities and geospatial, and president of EMEA, John Renard, says: “UK Power Networks has listened to what its stakeholders in the distributed energy community have said and responded with this project as a direct solution to their requests. It will give customers the ability to harmonise their plans with the network and ensure greater efficiency on network capacity.
“We are excited to be working with UK Power Networks on this innovative and revolutionary project that will enable utilities to change the way they manage their networks.”
Small wonder that the largest companies are seeking to avoid being tied to one type of energy or one stage of the energy process. Not only are the sources of supply emerging as more varied but the division between supplier and user is blurring.
Sustainable packaging provider DS Smith recently called in energy provider E.ON for the construction of its combined heat and power facility at its Kemsley paper mill in Kent. The aim is energy efficiency, cost reduction and sustainability: the finished facility will aim to achieve a carbon reduction of around 36,000 tonnes per year.
Undoubtedly hyper-local generation represents a democratisation of the energy sector and an opportunity for communities but also businesses to exert control and influence. Yet it does present challenges at macro-economic level in addition to those relating to cyber threats.
Room for a view
A snapshot of the country’s energy mix at midday on 15 April 2019 (MyGrid GB) reveals the largest sources: wind 24.6%, gas 20.4%, solar 20%, nuclear 16.8%, imports 7.5%, biomass 5.9%, coal 3.9%. Fossil may be declining but nuclear costs are skyrocketing, wind and solar depend on nature’s caprice, while import sources and supply look ever more politically uncertain.
The prevalence of renewables provides further momentum to the cause of energy storage and the (interconnected) development of the hydrogen economy. The latter was a highlight at the recent SET awards for innovation in energy transition and climate protection with a win for the Germany company Enapter for its project aimed at producing hydrogen more cheaply than natural gas [pictured above].
In the North West, meanwhile, Inovyn is progressing with plans for its government-funded project aimed at producing low carbon hydrogen for heat from energy storage. The region is pushing for the development of a hydrogen cluster that could do for the area what chemicals have done for the Teesside economy. Studies claim a potential £17 billion in gross value added could be created and save one million tonnes of CO2 per annum.
Left to their own devices, the process and manufacturing sectors would inevitably address their future energy needs. Yet it will operate within the architecture of a national energy policy that determines which sources and methods are incentivised and supported. Some direction will need to be forthcoming.