Cyber security and the energy Trilemma – Part 2

With the energy sector already in crisis, how then should it deal with the growing risk of cyber threats?

In this three part series, Martyn Ruks will be looking at how cyber security relates to the current energy crisis, the perils of ignoring potential cyber-attacks and also some practical advice on how to incorporate security into your smart energy projects.

Challenge 2 – To meet the UK’s carbon reduction targets

This is a big challenge to us as we need to migrate our power generation capabilities to both new and emerging technologies. In many cases these technologies contain new information technology components and communicate using well known protocols and over public networks such as the Internet. So the change in technology is exposing our systems to increased risk of attack at the same time it is helping to reduce our carbon usage. This presents us with both a challenge and an opportunity.

The challenge is that we are rushing to play catch-up with the security controls that now need to be implemented in this technology. We are also needing to engage with a wide range of suppliers, some of whom have no cyber security experience. This means that we need to be providing them with support and guidance to enable them to get security right from the outset in their products and technologies. If we fail to do this the outcome could be a loss of confidence in the new technology if a significant cyber security incident were to be blamed on this technology. There is a real chance of this happening if those who do not want this technology to succeed choose to use this as their new angle of attack.

Whilst this challenge exists it does create an opportunity at the same time. That is the ability to design security in from the start in the new environments that are being deployed to support these systems and new technologies. If we are able to take advantage of these major changes in our infrastructure that support systems like the Smart Grid then we have the opportunity to mitigate many security issues at their source. So with the right priorities we can ensure that meeting our carbon reduction targets gives us the opportunity we need to get cyber security on the right track.

Challenge 3 – To restrict any increases in consumer bills

At first glance this challenge may seem like the Achilles heel of our cyber security efforts. How can we do cyber security without increasing costs and therefore increasing consumer bills? The answer comes in two parts, the first is that we need to be spending our money on cyber security more effectively and the second is that by getting it right from the start we save ourselves money in the long run. So if we are smart we can turn cyber security from a blocker to an enabler. Let’s look at the two parts to this in more detail.
The first point is about targeting our cyber security spend in the right places. Rather than the more traditional approach of spreading our resources evenly across our businesses, we should be actively targeting it at the parts of our business that are more important. By understanding the real-world impact of cyber security incidents on our businesses we can ensure that the areas that would cause us the most pain receive more of our resources, whilst those that aren’t important receive less. This re-balancing of our resources will help us to get more for our money and most importantly won’t mean us spending more to improve our defences.

But that’s not the end of the story. Ask any CIO or CISO in this industry and they will tell you they need more money to be able to protect their businesses from the increasingly sophisticated and persistent threats that exist today. Can re-balancing alone solve the problems? So how can we get extra money but without increasing bills for consumers. The answer presents itself in the form of the new technology and systems that we are deploying. If the right cyber security controls are designed into the new technology and system up front then experience tells us that the total cost of security in the system over its lifetime reduces. Effective cyber security from the start means less project delays, less costly patching of holes and fewer security incidents to respond to. This can deliver real savings to the business and can be used to invest back in the cyber security of the next project or system that we deploy. 
So we should also find that better cyber security should not cost us significantly more money and ultimately that means that it can’t be used as the excuse for rising consumer bills.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.