Why legacy IT is a security risk for utilities companies and their customers
Why legacy IT is a security risk for utilities companies and their customers
With Russia being accused of targeting power supplies with cyber-attacks over a two-year period, utilities companies worldwide have never been more conscious about their security. To try to prevent an attack in the UK, earlier this year the government announced new legislation that would levy fines of up to £17 million on any utilities company that does not effectively maintain its cyber-security with suitable measures to protect Britain's infrastructure.

The rise of utilities terrorism

The first known successful malware attack on a power grid, and the start of utilities terrorism (from a western perspective**), occurred in Ukraine in December 2015. Hackers accessed the information systems of three energy distribution companies in Ukraine, and thereby disrupted the power supply of up to 230,000 citizens – just two days before Christmas.

And then, last July in the UK, a memo from the National Cybersecurity Centre (NCSC) warned about hackers targeting the country's energy sector. They stated that it is likely that the sector has already been targeted and probably even compromised, and that connections have been found between UK energy sector computers and the technology of suspected attackers. Although the NCSC has neither confirmed nor denied the memo's validity, the warning it contained highlights a very serious problem facing UK utilities companies – they need to upgrade their security, or risk their services being compromised in an attack.

Legacy lagging behind

Many utility companies have been running services for decades, so it's not surprising that some of their systems rely on what is by today's standards legacy technology. These companies often rely on their own applications to deliver their services, which were written to run on Windows XP, and Server 2003.

Unable to then run these applications on the latest operating systems, utility companies are faced with the risks of continuing to use outdated systems – particularly with the rapid rise of ransomware seen in recent years. Organisations worldwide are being encouraged to improve their security to avoid becoming victims of cyber-attacks, and one clear way to do this is to update their operating systems to the latest version, and the latest security patches.

This then leads to a more difficult issue for utilities companies in particular. To update systems, they need to rewrite their mission critical applications. The challenge then becomes how they roll them out without downtime, as these companies provide vital services that their customers depend on every day, such as water and energy for homes and businesses. Until the rise of utilities terrorism, migrating live systems was far too risky. Recent cyber-attacks have tipped the scales, and now inaction presents far greater risks.

So what's the solution?

Utilities need to update their operating systems; that much is clear. With some UK organisations still running Windows XP – an unsupported OS – and with Windows 7 a target of WannaCry and fast approaching its end of life in just under two years' time, those providing vital public services can't afford to leave their systems behind. However, we are starting to see several organisations addressing this problem, suggesting that the utilities industry is becoming increasingly aware of the risks of their legacy operating systems, but need to minimise the risk of downtime during the rollout.

Migrating their applications from Windows XP, or Server 2003, to the latest Windows 10 or Server 2016 is possible without code changes when you use Compatibility Containers. These containers work by packaging up applications and moving them to the latest, supported and secure operating system. Containers help minimise disruption, and the risk associated with desktop transformation because the app remains unchanged, so utilities can get to new platforms quickly and safely.

If public utilities companies were to follow this method, they would be able to keep their existing applications safe and secure, without waiting for time-consuming re-writes and risky application upgrades. This is while simultaneously increasing their security to prevent themselves becoming the latest victim of utilities terrorism. When the services they provide are necessary for the entire UK to run efficiently, it is vital that they do not fall foul of ever-increasing cyber attacks – an ever-increasing threat in today's world.

By Mat Clothier, CEO, CTO and Founder at Cloudhouse.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

**Iran may well view the Stuxnet attack on its Natanz nuclear power facility as the first such attack.