Not one energy supplier has officially reported a cyber-attack to Ofgem despite numerous hacks says Sky News investigation

An investigation carried out by Sky News has shown that not one energy supplier has reported a cyberattack to Ofgem despite a law introduced three years ago obliging them to do so.

The NIS Directive

What’s the issue?

Since the introduction of the law, not a single report of a hacking incident has been successfully made despite numerous successful cyberattacks on energy companies over the last three years by criminal gangs and hostile states.

The main cause for this is that the thresholds used to determine whether an incident is worth reporting is too high, which in turn prevents any reports from being made.

According to the Sky News report, just one energy supplier has tried to file a report with Ofgem, but it was dismissed due to the incident not meeting the threshold required to being reported.

This is an issue as it means that the true extent of the cybersecurity challenges faced by energy suppliers is not being reported and instead many are being swept under the carpet by companies too afraid to publicly disclose a breach.

Ransomware attacks are common with Elexon suffering a major cyberattack last year and only recently Npower was forced to abandon its customer service app after hackers breached it and used it as a way to steal sensitive customer data.

Cyber-attacks on energy companies and electricity systems are a substantial and growing threat, according to the International Energy Agency (IEA).

Also read: Cyberattack forces Npower to permanently withdraw its mobile app

Blind to the threat?

The Sky investigation goes on to say that because of the high thresholds required for a cyber attack to be recorded is leaving Ofgem blind to the true scale of the problem and how energy suppliers are coping.

Currently, the thresholds depend on the impact of the hacks on the continuity of a company’s services, something that doesn’t record the energy sector’s ability to tackle cyber threats.

"Most of the concern around cybersecurity has been focused on operational technology (OT) networks that interact with physical processes and machinery, such as power plant equipment or water treatment facilities. Yet the traditional information technology (IT) networks that involve the flow of data - such as file storage or email - should not be neglected. This is because whilst the impact of malicious activity can be far more severe against OT systems, these attacks typically start out on IT networks. It is therefore vital to consider security across an entire service provider's infrastructure,” said Dr Jamie Collier, a threat intelligence consultant at FireEye.

Also read: Energy Supply companies most vulnerable to cyber-attack says new report

The government will be reviewing the Network & Information Systems Regulations within the next 12 months.

Further Reading

‘Green’ Tariffs to come under increased government scrutiny over growing ‘Greenwashing’ concerns

Busting the Cybersecurity Myths in the Energy Sector

Dyball Associates Achieves ISO27001 Certification

Dyball Associates are proud to help new supply businesses successfully launch in the UK market.

Through our energy market consultancy services, and the software we've developed, we're supporting new UK electricity and gas suppliers get set up and start supplying.

Follow us on LinkedIn to keep up to date with the latest news and updates in the energy industry.