One of the many interesting interviews I got to conduct while at European Utility Week was with Emil Gurevitch and Jon Wells, speaking on behalf of the OSGP Alliance.
The discussion considered the role of GDPR within the DSO sector, but also examined the responses to cybersecurity by DSOs. Of particular interest was the increased visibility of and importance being given to certification in the utility sector. It would indicate the desire to establish a baseline of security best practise within the sector and establish rules and frameworks within which to work. The only challenge, as Gurevitch says, is that “attackers don’t play by the rules.”
Certification is a snapshot of a particular point in time but is not a panacea for all cybersecurity ills. As with so many elements of the security game, it is only one tool on a far bigger chessboard.
As the number of sensors and other communicating devices added to the grid increase, it is vital that DSOs are cognisant of the need to secure new technologies and their interactions with the grid.
This is a view that has been supported by Joachim Schneider, Chief Technology and Operations Officer of the Grid & Infrastructure of Innogy SE. Schneider is a big proponent of incorporation of security by design, saying: “Security has to be seen as an important part of every smart grid project.”
Never was this need better illustrated than in August when researchers in Silicon Valley released information that a number of utilities in the United States had been targeted by hackers.
Over the weekend, the Wall Street Journal reported that these utilities were all “located near dams, locks and other critical infrastructure.” The newspaper went on to identify some of the 11 utilities targeted as Cloverland Electric Cooperative, Klickitat Public Utility District and Basin Electric Power Cooperative. Each, while small, plays a vital role in the facilitation of electricity transportation or distribution, connecting eastern and western grids, or facilitating the transportation of power from Washington State to California.
Many of the utilities identified deny having been hacked but admit they may have been targeted.
By some accounts, up to 63% of users are suffering from a sense of security fatigue. Security fatigue is a psychological sense of weariness, hopelessness and frustration brought about by the constant need to be alert to security threats - all of which can result in a reluctance to deal with computer security, poor security practices and risky behaviour. Research conducted by NIST brought a very interesting point to the fore. Many of the participants to the research wondered why they would be of interest to anyone – considering themselves not important enough to be targeted.
As with so many of these types of attacks – the initial foothold in the above-mentioned attacks were through phishing emails. One of these claimed to contain information about licensing exams for the US National Council for Examiners for Engineering and Surveying. What was perhaps the most concerning is that these emails were sent to very specific people, indicating a high level of research by the hackers.
As the year draws to a close, it is a worthwhile time to re-evaluate your year and consider whether your security planning and staff training are keeping up with the ever-changing tactics of hackers? In particular, how are you dealing with the very real issue of ‘security fatigue’ among your employees?
Have you been subject to security fatigue within your utility? Do you have a specific strategy for enabling better security within your organisation that takes into account that users don’t want to have to be on high alert at all times? We’d love to hear from you.
Share your thoughts with us: firstname.lastname@example.org
Wishing you a secure week!