Speaking as someone who lives and works in Western Europe, and having spent more than 15 years in Africa, I have first-hand experience of some of the world's most and least reliable infrastructures.
In Africa, I was used to working around daily blackouts. In Vienna and London, where I'm based now and where there's virtually 100 percent availability, we're wholly dependent on our interconnectivity. We have done little to prepare for the blackout threat because there simply hasn't been the need.
This kind of thinking cannot go on. We must increase social risk awareness now. Even on the most reliable infrastructures, we face an increasing danger of blackout due to cyber-attack, which could be devastating.In Southern California back in 2011 a maintenance worker caused the loss of a line operated by Arizona Public Service, resulting in a massive power outage impacting critical services, including traffic lights, causing 3.5 million gallons of sewage to be spilled into the ocean, having an indirect implication on SCADA environments, putting two nuclear reactors off line thus a loss of electricity.
Given the increasing complexity of our critical infrastructure, the growing cyber-security threat and geo-political landscape today, real dangers lie within and without the grid. Energy, like the water supply, telecoms, mobile and banking is increasingly dependent on IT connectivity. The integration of intelligent, internet-dependent measurement systems that form so-called smart-grids, means energy infrastructure is more vulnerable to ‘acts of God' and cyber-attack than ever. Indeed, the increasing use of renewable resources is a prime example of how our systems are becoming more complex and vulnerable to external threats. There's a strong argument to be made that secure infrastructure has not grown with the rapid expansion of renewables. As renewable energy plays a bigger part in the national grid, the increased network complexity and number of entry points translates to greater risk.
It's not just the number of entry points that is on the rise. There are a growing number of individuals who have the technical expertise to carry out devastating cyber-attacks, as amply demonstrated in other industries, in recent years. On the contrary, thousands of attacks are recorded on utilities and their infrastructure on a daily basis worldwide. It only takes one sophisticated attack to be successful. Take Norway for instance. A few years ago every second power plant was infested with Trojans. Most of the country's facilities were built prior to the internet and couldn't cope when they were connected to IT systems, making itself a prime target for hackers.
"We must increase social risk awareness now"
Most attacks today are carried out by electronic means, but this tectonic shift cannot be downplayed. Where once national infrastructure only needed to be protected from direct physical attack, every IT device and user in the world now represents a potential threat. Many countries are struggling to come to terms with this, as the majority of armed forces currently have insufficient capacity for the protection of IT infrastructure, lacking in the resources, personnel and expertise required.
Evaluate the threat
I suggest that the UK and Austria are not top targets for attack but potential targets. As hackers have proved, merit is not always a factor. In some cases hackers will vandalise a site or organisation, not for commercial gain, but because they can.
Because electricity, IT connectivity and the internet have penetrated almost every aspect of life, the consequences of a 24-hour large-scale power outage would be huge. In a developed European country, the resulting economic damage would be millions, possibly billions of pounds. It is with this backdrop in mind that I believe we should evaluate the potential threat. Not as an abstract disaster scenario but a very real threat.
Oliver Eckel, CEO, Cognosec