Cyber security and the energy Trilemma – Part 3

What steps can be taken to overcome the 'trilemma'?

So as we have seen the challenges surrounding cyber security in the Energy sector link directly back to the trilemma we are facing. So where should organisations be focusing their efforts when it comes to getting cyber security right. It’s also worth remembering that if we can solve these problems to protect against the most skilled attackers out there, everyone else should be straightforward to handle. At MWR we have identified four key areas that are the foundations to getting our approach right:

1. Governance
The organisation will only follow if the leaders set the standard. Therefore, it’s critical that cyber security is sponsored right from the top of the business and is managed effectively right down to the shop floor. Governance models such as ISO 27001 can be used to support this but be warned that they will only be effective if they accurately map to the systems and technologies that you are using.

2. Vendors 
Cyber Security is ultimately a technical problem as without technology we would not be facing the challenges we are. Therefore, the problem does map back to the people who design, manufacture, install and run the technology we use. Within the energy sector there is one key group on whom everyone else relies, the technology vendors themselves. It is important that our vendors understand how to get cyber security right and build in the right controls into our systems with the level of security quality that’s needed to protect us against attack.

3. Design and Architecture
The security of the technologies within the complex systems we find across the sector, such as the Smart Grid, can be significantly enhanced by the design and architecture of the system or environment they sit within. Using effective architectural patterns and the right combination of security controls that are closely aligned to the threats that we are facing we can provide a solid foundation on which to build.

4. Education and Awareness
In order to execute all of this well needs an entire industry to understand both the challenges and what the right solutions are. That needs us to educate everyone so that they understand what their part is in this space and where they can get help when they need it.

One thing that is clear from these solutions is that no one organisation or company can or should be solving them all or in one go. It is therefore important that the industry as a whole comes together to address the issues. All parts of the industry are acutely aware of the trilemma so helping the industry to understand the challenges and opportunities in cyber security is achievable. By building our knowledge of best practice and cross industry solutions we can make progress and at MWR we will be working to support those efforts.


It may not seem like it to the many people in the Energy sector having to deal with the trilemma, but Cyber Security needs to be included in the approach that we are using to face it. Otherwise our adversaries who have increasing capability to impact the sector will use the political benefits of governmental failings in the Energy sector to cause their damage. Not only does this have ramifications for Governments around the world, such attacks will have a ripple effect on everyone within the sector and its supply chain as we have discussed.

This is without factoring in all the other attackers who might seek to gain from security weaknesses in the sector. It is therefore important that there is a collective effort to address some of the issues that will arise if the right path is not taken towards our Smart Energy future.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.