Standard content for Members only

To continue reading this article, please login to your Utility Week account, Start 14 day trial or Become a member.

If your organisation already has a corporate membership and you haven’t activated it simply follow the register link below. Check here.

Become a member

Start 14 day trial

Login Register

Cybersecurity: Can you trust utilities with your data?

With utilities in the spotlight and the energy industry the UK's most targeted sector last year, Nigel Thorpe, technical director at SecureAge, looks at why there needs to be a rethink about protecting personal data. He says companies should move away from a traditional 'castle and moat' approach and instead implement full data encryption to ensure it is protected at all times.

Utility companies are under pressure. But it’s not just about staying afloat and keeping the lights on and the fires burning. Companies are constantly being targeted by cyber criminals. In recent attacks, the BlackCat ransomware gang has claimed responsibility for hacking Creos, a gas and electricity supplier in Luxembourg. BlackCat claimed to have stolen 150Gb of data from parent company Encevo, including company contracts, agreements, passports, bills and emails threatened to publish it. BlackCat, is thought by the FBI to be linked to the DarkSide group based mainly in Russia and responsible for the infamous Colonial Pipeline hack in the US.

This latest attack reflects a growing trend. The UK’s energy sector was the target of 24% of all cybersecurity incidents in the country in 2021, according to research from IBM Security. This makes the energy sector the most targeted industry, followed by the manufacturing and financial services sectors. This should not be surprising considering the large amounts of data energy companies hold on their customers – from personal identification data to credit card and bank account details. And at a time when every little counts, on average, the cost of a data breach in the energy sector rose by 10% from 2020 to 2021 according to the 17th annual Cost of a Data Breach Report.

If you thought that there was a vendetta against fossil fuel providers, you would be wrong. In 2019, the Department of Energy reported that threat actors had breached the web portal firewall of a solar power utility, causing operators to lose visibility for parts of the grid for 10 hours. Devices such as solar photovoltaic inverters that connect to the internet to help manage the grid can also become targets.

When it comes to method of attack, social engineering, system intrusion and web application attacks made up 98% of energy data breaches in 2021, according to Cost of a Data Breach Report 2022 | IBM  Social engineering or phishing, attacks were the most common, although ransomware attacks continue to be a threat for the sector.

Whose data is it anyway?

In the UK, more than two million people have already been affected by energy suppliers going bust after the price of buying gas on wholesale markets surged. Over twenty smaller firms have already folded, while firms such as Bulb – Britain’s seventh largest energy supplier – is in special administration. This makes it more difficult to know who has our data as customers, where it resides, who is responsible for it – and how safe it is.

The threats to data have been compounded further by the rapid increase in energy prices as cyber criminals exploit real anxiety by offering fake refunds or better energy deals. When consumer champions Which? asked police fraud reporting unit Action Fraud about energy-related scams, it revealed crime reports that mentioned one of the ‘big six’ energy suppliers rose 10% in the first quarter of this year compared with the same period last year.

Time to focus on the data

The traditional way to mitigate these risks and protect data and systems is to try to stop the cyber criminals getting in. This means identifying and then blocking malicious activities using anti-virus software and new techniques such as threat intelligence centres, endpoint telemetry, zero-trust and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind. And regardless of the layers of defence, a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted and then stolen by copying it externally.

An alternative approach is to protect the data itself at source by encrypting the data. Full disk encryption is frequently used for this as it encrypts your device. While this is fine if you lose your laptop or USB stick, on a running system it will hand over decrypted data to every process that asks for it. And as cybercriminals can only steal data from running systems, full disk encryption cannot prevent this theft.

The answer is to encrypt all your data, all the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use, no matter where it gets copied – including when it is stolen. This way, if cybercriminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say. After all, you can’t demand a ransom for data that is already encrypted.

This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data.

It’s time we recognised that the traditional ‘castle and moat’ approach to cyber security is not going to stop determined cyber criminals and with an energy sector in turmoil, it will remain a key target.  Security is most effective when it is applied as close to the source as possible and you can’t get closer than the data itself.