THE BLOG

Energy Firm Cyber-defence Too Weak

04/03/2014 09:21 GMT | Updated 03/05/2014 10:59 BST

Underwriters at Lloyd's of London reportedly told the BBC last week that power companies are being refused insurance cover for cyber attacks as their defences are considered too weak.

The insurance is designed to help them rebuild their networks if they were damaged in a cyber attack.

Assessors for the famous insurer look at the steps firms take to keep attackers away, how they ensure software is kept up to date and how they oversee networks that often span the globe.

Unfortunately, after such checks were carried out, the majority of applicants were turned away because their cyber-defences were lacking, Lloyds reports.

But why are these critical infrastructure companies failing these tests? After all most of these large organizations are serious about cybersecurity. They run specialized departments tasked with protecting two key networks: data center (servers) and office automation (workstations).

The answer is that while these networks are essential for supporting the business processes throughout the organization; there is also a "third network," the process control network, which yet to receive the same level of attention.

Often referred to as SCADA (supervisory control and data acquisition) networks due to their association with industrial processes, these networks connect equipment rather than computers and support systems rather than people. In sectors such as utilities, transportation, logistics, manufacturing and pharmaceuticals, these networks are critical to the operation of the organization. In utilities, they are so important as to be considered part of the national critical infrastructure. In logistics, they route millions of parcels a day. But in other companies this network operates behind the scenes, quietly mediating access to buildings, controlling heating and ventilation, elevators and data center cooling.

SCADA networks are the most unprotected networks of all and now cyber-criminals have them in their sights. If they get access, the consequences for many organizations, their customers and perhaps the population at large, could be extremely damaging.

What makes these networks so vulnerable is a number of factors:

• Attackers are more sophisticated and professional. They are well motivated and resourced and looking to access networks stealthily and remain unobserved

• Networks are more connected than ever as the business hungers for data to derive decision making and suppliers Internet-enable everything to drive down costs and increase customer retention

• Process control networks are often - wrongly - considered inherently safe and often do not, or cannot include cybersecurity basics like patching

• The SCADA network is often 'invisible' and lacks the attention and investment of more obvious networks

• In many companies a different team manages the process control network while the IT department runs the other networks. This can present different priorities and processes

Given the typical separation of duties, when considering cybersecurity solutions organizations should shift their "IT security" mindset to account for the unique requirements and priorities of process control engineers charged with managing the SCADA network. First, security tools should not interfere with closed loop processes that could pose a risk to control. Second, availability/uptime is the most important goal of the network. Third, regular password change policies could endanger a plant, locking engineers out of a system. And, fourth, cybersecurity tools that require direct Internet access are not viable--many control networks are tightly firewalled or even isolated from the Internet.

Overall its important that power companies and other businesses which form part of the critical infrastructure of the UK and the world, recognise that cybersecurity is one of their highest priorities. The cybersecurity landscape has changed and today they face attacks from well-organised and resourced professional groups who are no longer looking to show off to their mates. This is a serious criminal enterprise for them and we, as cyber defenders need to be equally professional in defending against them.

After all the stakes are very high, failure will be damaging for the company itself; but if a cyber attack takes down the power supply for London or some other major centre, the consequences for all of us could be far more serious.