Busting the Cybersecurity Myths in the Energy Sector

Energy is part of the UK’s critical national infrastructure (CNI) and the role of protecting it is led by the Centre for the Protection of the National Infrastructure (CPNI). The threats posed by nation-states are the ones that often make the headlines and rightly so, as the impact on our everyday lives from a cyber-attack on the CNI could be hugely damaging. However, it’s not just the CNI on the frontline, but every single electricity or gas supplier .

According to a report by Accenture , 63% of utility directors from around the world believe that the country they operate in faces a moderate risk of energy supply disruption from a cyber-attack. Electricity and gas suppliers are often vulnerable because they are so many interconnected parts and that the infrastructure, they rely on is often required to operate for up to a decade, so the technological systems are often upgraded infrequently.

There are many myths surrounding cybersecurity that are in part unhelpfully created by the security industry itself and the way it’s often reported in the media. One of the most harmful consequences of this is that business’s fall into a false sense of security , that they will never be a target either because they regard themselves as ‘too small’ or falsely believe that they have nothing of interest to a hacker.

It doesn’t matter how large you are or what products you sell, you are a target . If you have something to sell or process data, then you have something to steal. Hacking by hand is increasingly less common due to the rise of readily available Exploit Kits and cybercrime as a service.

Most of the users of these services aren’t geniuses or making millions from hacking big corporations. In many instances, they’re just people with minimal technical knowledge. They use Exploit Kits and rented attack services at random in the hopes of getting lucky by making some cash from as many victims as possible. They can scan huge numbers of connected devices and servers as they seek a vulnerability that they can exploit .

Most cybercriminals are opportunistic creatures seeking an easy score. Of course, some are more persistent and capable, but If you make yourself an easy target then it’s a certainty that you will become another statistic.

Another common myth is that cybersecurity is prohibitively expensive, it doesn’t have to be. Before you go splashing the cash on the latest shiny product that promises to solve all your security problems (there isn’t one) there are a few basic steps you can put into practice.

Here are a few steps to take:

· Patching – ensure you download and install the latest security patches when they’re released. A huge number of cyberattacks rely on businesses not having the latest patches installed.

· Cybersecurity awareness training for employees – cybersecurity isn’t just the responsibility of the IT department. As most cyber incidents begin through phishing emails , imagine if employees are trained and aware of what they look like. Instead of opening them and potentially compromising the organisation they’ll delete them; voila the threat has been eliminated.

· Keep your antivirus up to date – new variants and strains of malicious software (malware) are created every day, by ensuring your antivirus is kept up to date you will be protected from the latest versions.

· Backup your data – 2019 has seen a huge rise in Ransomware (malware that encrypts data and holds it hostage), to avoid disruption from this you should ensure you regularly backup your data.

· Plan – Do you know how to respond to a cyberattack? Making an incidence response plan is a vital component of being able to respond quickly and with the least amount of disruption. Regular drills and exercises will mean your business will know what to do should the worst happen.

There’s some excellent advice provided by the NCSC - https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps

Demonstrating that you take cybersecurity seriously can be a deciding as to whether a potential customer may use your services or not. There are a few ways you can demonstrate that you take data protection seriously.

Being able to prove that your business protects customer data is becoming more important by the day and could even be the deciding factor as to whether they use your services or not.

Fortunately, there are a few ways your business can show that you take data protection seriously.

ISO27001

Often regarded as the gold standard for information security processes, in line with international best practice and is suitable for businesses of all sizes and types.

Since 2009, ISO27001 certification has jumped by 450% and is recognised globally as the benchmark for good security practices. The process for becoming certified can be a long one, but by achieving certification your business will build good evidence towards demonstrating compliance with many laws such as GDPR .

Cyber Essentials

By obtaining a Cyber Essentials your business can demonstrate to your customers and partners that you are committed to protecting their data. Cyber Essentials focuses on five technical controls. These are:

• Firewalls - ensure that only safe and necessary network services can be accessed from the Internet.
• Secure configuration - ensuring that systems are configured in the most secure way for the needs of the organisation.
• User access control - ensuring only those who should have access to systems to have access and at the appropriate level.
• Malware protection - restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
• Patch management - ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Having the Cyber Essentials badge on your website and documentation can make you stand out from your competitors and provides reassurance to customers that you’re serious about tackling cyber risks and gives your partners confidence that their data is in safe hands. This is particularly useful if you store personal information such as financial information or if you host commercially sensitive data.

Here at Dyball Associates we take cybersecurity very seriously and implement several different measures on top of the traditional 'anti-virus' technologies and patch management. We use Cisco Duo 2-factor authentication for all external access to our network. This includes both employees accessing our network and customers accessing our hosting platform.

Our entire network is protected by Cisco Umbrella which protects against malicious websites, malware and phishing attacks by blocking threats at the DNS layer. The use of Cisco Umbrella also ensures that assets are protected even when they are off our network, remote workers for instance.

All employees at Dyball Associates use secure encrypted password vaults to store credentials to ensure that passwords are not stored in cleartext. We work on a 'least privilege' approach with regards to network access to ensure that employees only have access to the systems and networks/services that are required to carry out their roles within the company.

We believe that these measures combined with traditional best practices enable us to be fully prepared against modern cyber threats.

___

For more information on how to start and manage an energy company, get in touch with Dyball Associates today.

Follow us on Twitter and LinkedIn to keep up to date with the latest news and updates in the energy industry.