UK National Grid under constant cyber-attack

A senior government figure says that the UK's power grid is under "minute-by-minute" attacks from computer hackers but information security experts aren't so sure.

UK National Grid under constant cyber-attack
UK National Grid under constant cyber-attack

Conservative MP James Arbuthnot chaired the Defence Select Committee up until last year and said that the National Grid is facing cyber-attacks every minute. He plans to visit the National grid next month to discuss the issue.

“Our National Grid is coming under cyber-attack not just day-by-day but minute-by-minute,” said Arbuthnot at a London conference last year, with his comments first reported by Bloomberg. “There are, at National Grid, people of very high quality who recognise the risks that these attacks pose, and who are fighting them off…but we can't expect them to win forever.”

“We work very hard in concert with the industry, in concert with the security services in both the UK and the US to make sure that we've got the protection we need in place to keep any intruders out of our networks,” National Grid chief executive officer Steve Holliday said in an interview after the company's first-half earnings. “When you run essential pieces of infrastructure, it's very high on your agenda.”

These comments come just months after it emerged that hackers were behind an oil pipeline explosion in Turkey in 2008 and after the German agency  the Federal Office for Information Security (BSI) claimed that an unspecified threat actor had launched an Advanced Persistent Threat (APT) attack against a local iron plant. Back in November, the National Security Agency revealed that the US grid had been successful hacked, allegedly by a number of foreign governments.

Hugh Boyes, cyber-security expert from the Institution of Engineering and Technology (IET) said in an email to SCMagazineUK.com that the energy sector is a common target, but added that all companies need to ensure they have the appropriate cyber defences.

“It is a fact that all networked corporate systems will face attempts to compromise their system security, often on a daily basis. There are a range of threats faced by such systems including targeted attempts by hackers and other hostile parties, the use of automated probing, some of which may be malicious, and attacks by bots for example those used to spread malware and conduct phishing attacks. It is important that all companies take appropriate steps to protect their systems and that we maintain perspective on the volume of attacks given the increased use of automated tools to attempt to probe or attack the systems.

“The energy sector is aware of the potential threats to its systems and the UK's National Cyber Security Programme has invested in enhanced capabilities to assist CNI companies in their defence of their critical systems. Coupled with this investment there is a need for all companies to improve their cyber-security capability.”

Independent security researcher Joel Langill has worked on implementing large DCS and SCADA systems for more than 30 years and suggests that most threat actors target the ‘low hanging fruit'.

"What is often not disclosed in the facts surrounding these events are the obvious or “basic” mistakes or omissions that made the targeted organisation vulnerable to attack,” Langill told SC. “This is why it is important that enterprises understand the latent gaps that may exist within their operational security framework when they focus entirely on information security techniques.

"I would add that the resources, skills and industry specific knowledge needed to successfully carry out an attack on critical national infrastructure (CNI) that would lead to any significant consequences within their production or operational environments is very high. In other words, simply finding a device on Shodan [the search engine that lets you find details on certain computers - Ed] that may be publicly accessible and may utilise well-known or less secure products, applications and protocols is not likely to convert into a risk that is of much concern for these CNI enterprises. This level of disclosure and their associated vulnerabilities are just not at the core level or a large, integrated industrial control system. 

"Often times, people confuse “component-level” vulnerabilities with “system-level” ones. The ICS systems used to operate critical infrastructure include multiple level of operational redundancy designed to minimise the effects from common-mode failures.”

He added that a cyber-attack on critical infrastructure would have to be incredibly sophisticated to cause significant damage.

"It should also be noted that in order for a cyber-event to lead to measurable consequences within a particular sector would require a highly coordinated attack that would include not only the successful compromise of multiple facilities within the same company but also multiple companies within the same industry. It generally would require a highly precise combination of both physical and cyber-events. 

"Due to the very high level of diversity in the industrial control system technologies deployed, this does not seem likely. It may be theoretically possible, but it is highly improbable.”

Langill cited the recent Stuxnet, Dragonfly and Black Energy APTs as examples of why firms should be diligent in identifying and mitigating cyber-risk within their information and operational technologies, but warned firms not to be distracted by noise.

"It is important to remain focused on the progress within their own organisations, and to not become distracted by what are often over-stated, over-sensationalised or even misrepresented facts and events.