Widespread blackouts, disrupted critical services, and compromised safety are just some of the impacts that could result from a hacked power grid, says Alexander Ward, Account Lead for Critical National Infrastructure, Cyber Security and Trust at the tech firm Thales.
Attacks on critical national infrastructure are designed to create chaos, and because of this, the sector has become a prime target for bad actors. The sector has become increasingly digitised in recent years, with the benefits evident for business and consumers alike. The ongoing energy and cost of living crisis has increased the need for energy usage to be monitored. However, this increased digitisation has also opened the field for cyber criminals.
Consisting of diverse, interconnected systems, smart grids are vulnerable to interception. For example, if a cybercriminal could infiltrate smart meters this could have a knock-on effect for the entire power grid. Bad actors could simulate inflated demand at scale, overloading the entire grid and leading to wide-scale power outages.
Cyber resilience
To boost resilience against mounting cyber risks, the sector needs to take a much more proactive ‘secure by design’ approach to cyber security. This means building security in from the very outset – not just as an afterthought. Of course, this is easier said than done. Power grids often sit upon legacy systems, built up over time – creating a complex web of technology. Retrofitting in line with today’s security measures can be a roadblock – but must not be overlooked.
With this in mind, here are the steps that the sector needs to take to strengthen infrastructure, instil a ‘secure by design’ approach and safeguard against future threats:
Conduct an audit: It’s wise to first conduct an audit to assess any current vulnerabilities and understand potential risks.
Segment your network: Divide your network’s infrastructure into smaller parts to make it more manageable to protect. This will contain the damage if one part is compromised.
Encrypt your data: Critical data travelling through the infrastructure, or stored in the system, must be encrypted to prevent unauthorised access or tampering. In the event of a data breach, the encrypted data will be of little value to the attackers, establishing a barrier against those looking to exploit it.
Implement the principle of least privilege (POLP): Access to assets should be granted purely on job function; allow users only the minimum access necessary to perform their role. Make digital asset management a key competency for your organisation.
Harden your systems to be proactive – not just reactive: Beyond keeping your software up to date with new layers of defence, adding threat detection capabilities can proactively alert when systems are under threat, while continuous monitoring pre-empts potential avenues of attack.
Address human error: When major US gas pipeline, Colonial Pipeline, was hacked in 2021, it was attributed to a single compromised password from one employee. Cybersecurity awareness training can help tackle the risk of human error, and instil the importance that individual cyber hygiene has on the power grid’s overarching resilience. And think beyond yourself – look at vendors and IT service providers who could also be the source.
Implement multi-factor authentication: Verify users using multiple factors – not just simple passwords that are at risk of being stolen, lost, or guessed. Access can be better strengthened with digital identities, providing a secure and streamlined means of authentication.
Undergo regular tabletop exercises: Use appropriate tools and security teams to regularly test and evaluate your environments. Simulate attacks on the power grid and reflect on your preparedness to sufficiently deal with impending threats. Create, maintain, and test encrypted, offline backups of critical data so you have a plan B if it is compromised.
The takeaways
When it comes to power grid security, there’s no quick win – especially when the stakes are so high. However, it is a fundamental prerequisite for safeguarding public health and safety. Sufficiently securing a power grid requires a multi-pronged approach with multiple layers of proactive defences. As an ever-evolving threat, revisiting cybersecurity measures needs to be an ongoing priority, rather than a tick box exercise.
With cyber attacks being a ‘when’, not an ‘if’, you also need to be prepared for a successful breach. Build your resilience and have a robust incident response plan in place to mitigate the severity of the impact.
