Cyber-security and resilience are watchwords for every organisation, but how are utilities approaching the increasing threat and what do they consider the greatest risks of tomorrow? Industry experts gathered for a roundtable to discuss concerns and share best practice.

It was just days before the country finally found itself locked in the full grip of the Coronavirus emergency when a group of cyber experts from across the utilities industry and beyond sat down to talk about the importance of security and resilience for critical national service providers.

The delegates at the Utility Week roundtable, sponsored by Leonardo and Darktrace, included senior players with the daunting responsibility of keeping the country’s power and water sectors operating, both in business-as-usual periods of “peace time”, as they called it, and during “war time” periods of a heightened state of alert.

While all had varying remits when it came to their organisations’ operational technology (OT) and information technology (IT) systems, there was consensus that growing a better cyber awareness culture within utilities was now becoming imperative.

They also agreed that IT and OT security functions were converging, and that changing mindsets across companies’ “carpeted” and “uncarpeted” environments was critical to meeting developing demands.

Fast-forward just two weeks and those words feel more timely than ever, as increasing numbers of people work remotely due to COVID-19 and staff absences at site locations rise. The pandemic will be a huge test for the cyber resilience of every company and not least for lifeline service providers, utilities.

How do you create a culture of cyber awareness?

Being proactive is key to the awareness message, agreed delegates, including involving all teams, sharing knowledge of connected systems and nurturing cyber security champions. Because while digital transformation offers a myriad of technology possibilities, securing the integrity of systems is an increasing challenge as safety-critical environments become ever more open.

Achieving buy-in from the board on culture is key. “While it can be fairly easy to reveal the technology solutions that may produce, mitigate or avoid a certain risk,” said one delegate, “often the process-based risks around people are not captured on a risk register. Getting a board to invest in something where you can’t tangibly articulate how it’s going to affect certain risk is very difficult. But it has to be done.”

The growth of regulation and governance in the sector is helping to drive the corporate acceptance of a need to elevate standards – although the experience around the table was that this didn’t necessarily mean that managers could simply ask the board for more money to help.

So, taking the workforce with you by helping them contextualise the policy with their business as usual (BAU) activity, although a simple approach, could be game-changing solution. “Too often, this isn’t the case, though,” the delegate added. “We just set a mandate from a centralised authority that people feel disconnected from. Often, non-conformance then becomes the everyday activity and then that drives board culture again.”

But many of the delegates agreed that the strong health and safety ethos that already exists within many utilities could be an advantage when it comes to embedding a cyber awareness culture. “All cultural shifts take a little bit of prodding,” said another guest. “But it’s a bit like the ‘hard hat’ culture – eventually people come to know it’s the right thing to do.”

Getting employees to tell their stories, was another technique shared, something often used in health and safety training to explain the consequences for others of wrong behaviours. “In terms of a cyber security scenario, then, could we ask the person who clicked on that malware message to say why they did it? Why they were lax?” asked one delegate. “And to share how they now understood it could have taken out productivity for an amount of time? Yes, possibly.”

Some delegates felt that a huge driver for organisational cyber awareness could be the chief executive going to prison for a major breach. “You’d find it taken a lot more seriously then.”

But cyber security throws up challenges more complex than health and safety, argued another speaker. If someone leaves a door open and a fire starts, the attribution is proven easily. Whereas an administrator in a carpeted environment leaving a Post-it Note with coded credentials around is a harder matter to prove.”

Making this feel real to senior management can be helped by showing how cyber security is linked to organisational resilience, suggested one operator, “putting cyber security and resilience together”.

“Regulator Ofgem talks about our ‘cyber resilience plans’. It [resilience] is starting to come closer to cyber – and it’s the organisation’s resilience ultimately. That’s how you can get buy-in.

Running an executive ‘cyber media response plan exercise’ proved a real eye-opener for one company’s culture, the forum heard. A couple of security alerts were quickly escalated, followed by a ransomware announcement on the website that it had been hacked. Staff had to field media questions, such as whether vulnerable people were going to be warm that night. “The fact they could not answer the questions they thought they could, really drove the message home. It was an incredibly useful tool.”

It’s important, though, to use such visualisation in a positive way, said another. “For licensed, regulated companies it can show how justifiable, recoverable investment in our infrastructure is a benefit to our business, helping us manage our risks, and new and emerging risks.”

Another speaker added: “In this day and age I’d be surprised if utilities in any shape or form didn’t understand cyber controls must be in place. And I’d be very surprised if budget wasn’t available. It’s just about working out where the money is best spent.”

While a lot of emphasis is on what utilities do with technology, the respond and recover part of the operation can be where you make most cultural gains.

“All you need to do is to bring people together, to improve, to do the exercises. So, for example we’ve ridden the wave of the Coronavirus so far [for three days at that stage] because we have this preparedness. And in a heightened state of alert we do more things with cyber – so it promotes what readiness there is.”

You also discover which people genuinely need access to systems and those who don’t – and may never have it again, added another guest. “As with the Coronavirus, you find out where your resilience is. What you need to do in addition, net new, to BAU.”

Bringing OT and IT together, although retaining some form of separation, was how various speakers saw new cyber cultures in utilities panning out – and several were experiencing this already in their organisations.

“We don’t just align, we integrate,” said one. “The risk management is tied up with the things that both OT and IT are doing – so preparing people, safety, the environment, asset and reputation. My [OT] risk assessment is tied up with theirs [IT]. We’re not selling a purely cyber message we’re selling a cyber and safety message. Because the whole security function has got responsibility for physical and cyber.”

As the journey towards a smart grid continues, we will see even more converging of those two worlds, predicted one guest. “There will be a lot of insights coming in. Security in isolation will just no longer be sustainable.”

But a cautionary note was also sounded: ensure important operational intel is not lost. “I’m often worried that if we take too much of an IT-centric view on how to secure these things, we can end up with the wrong solutions in place, and that can be expensive.

“Engineers are the best people to know how these things can be breached. You can’t make any of these big IT moves in isolation.”

So, having a completely converged OT/IT ‘mono-culture’ was not viewed as the answer by the roundtable delegates. There is still a need for specialist tools, although there could be a common platform – “a converged, protective layer that supported and allowed two different cultures”.

The major cultural challenge for us all, added another speaker – as these functions meet and the space looks very different from what it is today – is how do we bring two worlds, that don’t naturally overlap, together? “How do we start to see the harmonisation of that skill-set for what you need from a manufacturing and IT perspective?”

Maintaining trust after a breach?

Making decisions during an incident, and afterwards, that are “correct and adequate” was an essential response put forward, as was ensuring that you maintain the trust of your board.

“It’s not just about the business, it’s about how you personally manage the crisis, how you communicate it and ensure everyone has bought in. That’s also the best way to manage customer trust.”

“It’s also critical to ensure that the comms you are receiving are from the right person, and that the message hasn’t been changed,” was another piece of advice shared.

“How you access an organisation in a crisis speaks volumes,” said a fellow speaker. “Being overt and out there. Saying this is what’s happened and we recognise it. Plus, practise the comms, and know who is going to say what and when in any scenario.”

Maintaining trust is also about having the confidence to say I don’t know, said another. “I think it’s entirely reasonable for a CEO not to know the answers to tech questions. And I do worry sometimes that leaders are too confident; it can come across as unauthentic, not transparent.”

“Own the narrative and get the message out there that you want to get out,” advised another.

Solid, trusted industry information-sharing can also help, agreed the group, which thought that perhaps it was now time to build on existing mechanisms.

The two different worlds of OT and IT can actually be an advantage in a breach situation, said one speaker. “There are different things you need to do to attack them. And in an OT world there can be security through antiquity, diversity and obscurity. This can allow more time to react to a threat.”

Understanding the risks and defining your risk tolerance for the way you want to operate is another key consideration. “In the absence of limitless resources,” explained one speaker “there comes a point where you say we can’t try to protect against that. It goes above and beyond what we’re capable of. So, we say we can protect and respond up to this level.”

Protecting against the risks of tomorrow

“Threat modelling is the future if you are to really understand the cyber risks to your organisation,” said one speaker. And also, knowing about the adaptability of your technology – although this is not proposed as a sustainable solution in the long term.

Another speaker spoke of how his company had helped build an alliance with key stakeholders, to collaborate on connecting systems and see just what a good future could look like.

A key question considered by the group was how could you “virtualise” a PLC? “Could it help rebuild systems quicker in an attack scenario,” asked one delegate, “if you could get another control room off the shelf? When you look at some of the scalable technology, could something be done in this space in the future?

“I think the cloud has got a role to play, although you are still going to have physical equipment at physical locations. But shouldn’t you have the situation where a back-up control system is being replicated to the cloud in real-time?”

“I think we can say with confidence the only way is cloud,” a fellow speaker responded. Another added: “In terms of centralising data lakes – that’s the cloud, because the resources are there for that. But I think with the advent of fog computing, we become more efficient with use of network and therefore less vulnerable to attack.”

Protecting against the “accidental insider” will continue to pose risks, agreed the forum, although processes to help stop non-subversive employees making mistakes will likely become more robust, as malicious external forces try to increasingly exploit human error – another key reason for growing cyber awareness. We can also expect to see monitoring of privileges and retrospective checking stepped up.

Decentralisation of the energy system will also bring the need for stronger monitoring capabilities in the future.

“If you have commonality, then that can be compromised. We will need to know more about what’s going to be outside of our direct control, but what we will begin to rely upon because it has critical mass penetration,” said one provider.

“Tomorrow’s threats are going to be low-cost commodity hardware in the IoT space,’ said another guest. “Tens of thousands of them. They are going to be in every home and very accessible to the outside world. A big question will be, how can we ensure these things are secure?”

All of us care about our environmental, social and governance obligations, said another. “We need to be making sure that we, or those we are partnering with, deliver products into the home that are doing the right thing. That credentials are unique to each device. It could in fact become a positive selling point.”

Brexit, was another concern raised. “When we embark on new trade relationships with other countries, does the security of those nations and their threats become ours?” asked one delegate. “Do they become the back door to the UK?”

Certainly, international information-sharing was seen as a really interesting challenge ahead, and whether the UK will be well placed to withstand threats from other countries with hostile intentions.

Another, quieter, threat mentioned was the general apathy around cyber – and whether this was going to pose a real risk as more and more data is shared.

There was also nervousness around supply chain practices and behaviours. “Should we have something in procurement legislation that forces us to do things to protect against this more?” asked one. “There are things that feel inherently risky, but procurement law currently stops us from doing anything about that.”

A cultural approach to cyber-security

Cyber-resilience needs to be embedded within a utility’s organisation.

Opinion: Scott Bartlett, Cyber security head of practice, Leonardo

UK utility companies face numerous challenges, including increased operating costs, a competitive market and a volatile economic environment.

One way in which firms are responding is to connect previously segregated operational networks into their corporate IT, supported by sensory information technology. This has clear benefits, such as improved efficiency and the ability to provide better information to customers. However, increased convergence also brings with it an increased threat of hostile cyber-attack, undermining efforts to provide better quality services and presenting additional reputational risks.

To mitigate this threat, many companies are investing strategically to embed cyber-secure thinking into their organisational cultures. Employees are still the most common targets for cyber-attackers trying to gain access to a firm’s network, so it’s important that they are made aware of threats, beyond phishing campaigns, and are able to recognise suspicious activity in their daily lives.

A key enabling factor in developing this culture is to provide a facility for anonymous reporting, so that incidents can be reported and assessed without employees automatically feeling that they are to blame. Companies are also asking staff, in a structured format, to share experiences of cyber-incidents they have been involved in and how they were supported throughout. There is evidence that these approaches can transform culture by empowering employees with the confidence to report issues and incidents.

Safety regulations have also been a key driver in developing a culture of incident detection and reporting. Following major cyber-attacks on power distribution, such as that seen in Ukraine, UK utility companies are harmonising best practices to minimise the effects of security breaches on safety.

This requires companies to undertake an impact analysis, looking at the systemic flow of a cyber-incident. How could an attack result in harm, if no further controls were implemented? Keeping up to date and modelling prevalent threats is fundamental for assessing safety and security risks to employees and consumers, as well as establishing the likely targets and points of weakness across operational technology and information technology estates.

The goal of any utilities company in the event of a cyber-breach is to return to normal operations with minimal disruption. To ensure this is possible, it is important that firms invest time and effort in building operational resilience. If an organisation can maintain trust in the integrity of system output data on the status and health of the network and rely on well-practised response and recovery plans, the impact of an attack can be kept to a minimum.