Knowledge is power

If we use the government’s description of critical national infrastructure (CNI) as being ‘facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends’, at the top of this list should be those responsible for providing the nation’s energy. Any failure to protect this utility and ensure continuous operation would certainly have a detrimental impact on the availability of almost all services, leading to severe economic and social consequences, including the potential for loss of life.

Big issues
Given the role it plays in all our daily lives, protection of energy sources is vital. The most high profile threat comes via international terrorist groups such as al-Qaeda, while Northern Ireland related activity also remains an issue, with republican terrorists continuing to threaten UK citizens, businesses and interests. However, while this is taken incredibly seriously, there are other groups that are just as capable of jeopardising energy supplies.
How energy is generated, where it comes from, and its cost are firmly on the radar of the UK’s population. This means that energy suppliers are under intense scrutiny and face a constant barrage of criticism about what they are doing to secure our future needs. Controversial techniques such as shale gas drilling or ‘fracking’ have attracted protest and while the arguments for or against it are being played out in the media, energy companies have to ensure that they remain protected.

Social threat
A hardcore group of ‘professional’ protesters continue to target energy companies and are using social media to attract support for their cause. Make no mistake, these people are very good at what they do and are highly organised. For example, earlier this year a group of 12 women and nine men was charged with aggravated trespass after a sit-in at EDF Energy West Burton, in Nottinghamshire. The campaigners from No Dash For Gas said they were against plans to build 20 gas-fired power stations and intelligence services are certain that they will not give up easily.
For most UK power stations and sub-stations, thwarting intruders involves a combination of physical security and surveillance technology, often through the building and guarding of perimeter fences.
However, with some main power stations having perimeters of five miles or more, this is an expensive solution and energy firms are only willing or able to invest so much in security. A Class 3 or Class 4 security fence should offer a delay time of 14 seconds in which to mobilise attention and what are known as ‘hardened’ areas, which are particularly vulnerable to attack, are generally given most attention.
Some sites are obviously more susceptible than others and it’s not always the bigger ones that are most critical. For instance, a successful attack on certain smaller sub-stations around the outskirts of London could mean the loss of power in the capital for up to three months. So in order to assess which sites are most at risk, the government’s Centre for the Protection of National Infrastructure (CPNI) compiles an annual report, which highlights those that are the most vital and, therefore, need the highest levels of protection.

Threat from within
While a devastating external attack on the nation’s main power stations and sub-stations is certainly possible, physical security is an increasingly small element of energy firms’ attention. Far more insidious and, indeed, harder to combat, is the danger posed from insider threats and cyber terrorism. Put simply, terrorist and criminal organisations very rarely make explicit attacks, as they would much rather use an insider to deliver whatever it is they want.
The CPNI defines an insider as a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes – and it’s a growing problem.
When it comes to cyber crime, the threat is persistent and constantly evolving – data breaches, identity theft and fraud are now commonplace. The latest data from the National Audit Office estimates that the UK suffered 44 million cyber attacks in 2011 alone, the equivalent of 120,000 a day, costing approximately £27bn a year of which over three-quarters of the economic impact was felt by business enterprises.
Cyber crime can be used against energy companies for any number of purposes. Infiltration into SCADA systems, for example, which provide supervisory control and data acquisition are also used to monitor and control plant or equipment, could result in services being disrupted and operational data being compromised. Meanwhile, the accessing of customers’ financial data could lead to a seriously damaged reputation.

Five alive
The top five insider activities are the unauthorised disclosure of sensitive information either to a third party or the media – more commonly known as industrial espionage; process corruption, which involves illegitimately altering an internal process or system to achieve a specific, non-authorised objective; the facilitation of third party access to an organisation’s assets; physical sabotage; and electronic or IT sabotage.
The most frequent types of insider activity identified in a recent CPNI study were unauthorised disclosure of sensitive information (47 per cent) and process corruption (42 per cent), and most of these activities will include an element of cyber intrusion.
Cyber criminals will soon face tougher penalties in the EU, under new rules adopted by the European Parliament, and attacks against critical infrastructure could lead to a five-year prison sentence. Firms would be liable for offences committed for their benefit – for example, hiring a hacker to get access to a competitor’s database – and penalties could include exclusion from entitlement to public benefits or closure of establishments. While any deterrent is welcome, the view of a significant number of security professionals and business leaders alike is that it doesn’t go far enough when the potential damage is considered.

Motivating factors
The reasons why people undertake insider activity are diverse and most have a combination of factors including financial gain, ideology and a desire for recognition and loyalty. Interestingly, research from the CPNI has identified a clear pattern in the relationship between primary motivation and type of insider incident. Ideology and desire for recognition were closely linked to unauthorised disclosure of sensitive information and financial gain was most closely linked to process corruption or giving access to assets.
The ways they go about getting hold of information can be just as varied. The writing down or sharing of passcodes, the lending of laptops and other electronic devices and poor access control of areas such as data centres and the communications infrastructure can all make the lives of those with malicious intent much easier.
In terms of helping to reduce vulnerability, top of the list are the need for a comprehensive personnel security regime, pre-employment screening and the creation of a secure culture. On-going protective security measures and effective management practices are also vital in reducing vulnerabilities, as are more straightforward procedures such as monitoring unusual behaviour.
An insider threat can originate from anyone with legitimate access to an organisation, regardless of whether they are permanent employees, contractors, temporary staff or even business partners. Just a importantly, any people leaving the company must relinquish keys, passes and IT equipment, and their access pathways should be erased from the IT system.

Raising awareness
Regardless of whether the perceived threats are external or internal, predicting where and when an attack could take place is extremely difficult.

Therefore, all energy-based organisations should carry out a security risk assessment to ensure that they are in the best position possible to deal with such an event.
An appraisal of the communications system, infrastructure and decision processes necessary in the event of attacks should be considered along with an audit of the procedures employed by security functions. Industry experts, many of who are members of The Security Institute, are able to identify possible gaps in processes and procedures, and assist in the implementation of systems that make buildings and their inhabitants safer.
In some cases it is necessary to carry out penetration testing where a consultant will try to enter the premises incognito by, for example, pretending to be a cleaner. Once they have gained access they will see how easy it is for them to acquire confidential information and gain access to certain parts of the building.

Holistic thinking
In a cohesive effort to thwart any attackers, energy companies share security related information with each other – there is no commercial benefit to not doing so. They discuss issues and develop the kind of best practice techniques that help identify and eliminate threats.
This cooperation also extends beyond the energy industry itself and resources from government departments and agencies, including MI5 and the Communications Electronics Security Group (CESG), can be called upon. In fact, the government has made significant inroads in the way it factors in the interdependencies between transport, energy, water, waste and ICT networks.
A report recently published by Engineering the Future (EtF), called The Infrastructure Timelines, looks at the government policies within each of the infrastructure sectors and identifies where achieving its aims are interdependent or reliant on policies in other sectors. It cites the energy sector as the most critical example of infrastructure interdependence due to the role it plays in ensuring all the other networks function effectively and can meet the demands of the future.

Knowledge is power
Most companies in the energy sector understand that simply throwing money at security and addressing it in a piecemeal fashion is a waste of time. However, it is incumbent upon all businesses in all sectors to review their vulnerability to attack – whether internal or external – and make sure that they implement a cohesive security strategy. Quite simply, it is the only way to move forward and deal with this important issue.

Further information

Please register to comment on this article