Cyber Security Conference for Operators and Systems Vendors – London –
7th February, 2019
We were delighted to welcome close to 150 attendees to our cyber security conference for the joint community of energy operators and OT systems vendors. We were also pleased to see a broad spectrum of experience and roles, including business leaders, engineers, systems providers, systems integrators and procurement professionals.
Supported by Energy UK, the Department of Business Energy and Industrial Strategy and the Energy Emergencies Executive Cyber Security Group (E3CC) we brought together the operator, integrator and vendor communities to enhance collaboration in developing cyber security in OT across the energy sector. In a mixture of keynote presentations and focused industry panels we learnt that:
- The cyber threat to the energy sector is real. Companies are experiencing espionage but there is also the risk of pre-positioning in IT and OT systems where attackers have capabilities they do not (yet) intend to use, but they may wish to gain a foothold. We also need to be concerned that energy systems can risk collateral damage where systems may suffer from viruses or a ransomware attack that was not specifically targeted at them, but they can be effected nonetheless. Supply chain risks are particularly important for cyber security management in the energy sector because vendors need to help with solutions, and they also have been shown to be an attractive attack vector themselves.
- Establishing security priorities in procurement is key to success. Standards help both those acquiring OT systems in specifying appropriate cyber security, and also help suppliers by creating common and consistent requirements, but although there are plenty of potential standards there are currently too few that the energy sector has declared to be formally adopted (The ENA Cyber Security Procurement Language Guidance being a notable exception). Even basics such as systems ‘hardened builds’ are helpful. Good standards should be as consistent as possible internationally. Some interesting discussions were held on how much suppliers will be inheriting the requirements of the NIS Regulations and the direct requirements for Supply Chain Security stated in Principle A4 of the Cyber Assessment Framework (CAF). This is a topic that many would like to see developed further.
However, simply mandating standards is not enough, as nothing will actually happen unless cyber security makes commercial sense and expectations get agreed in contracts. To be successful in good cyber security the energy sector will need to be sensitive and creative in addressing the costs and overheads of supplier and product assessment processes. It is clear from the meeting that any opportunity to minimise duplication of effort in suppliers and operators alike and even considerations for pooling assessment work is something that the sector is interested in taking forward through the energy cyber initiative. Suppliers also have their own supply chains and this also needs to be taken into account.
- Maintaining cyber security through life and the facing the reality of legacy systems are key to the energy sector challenge. Maintaining asset management for software is a known challenge, and there are currently too many promises of silver bullet tools which don’t seem to deliver when put to the test. Disciplines such as establishing systems ‘bills of materials’ and initiatives such as the Framework for Analysis and Coordinated Trust are starting to show us some ways forward. Patching will not always be possible and architectures and other risk management strategies also have to come into play.
Secure operations and secure behaviours are key to success and suppliers and systems integrators need to play their role, including how they look after laptops and other devices they might connect to OT networks and even what they choose to post on social media about their technical work.
- Incident management needs to go beyond theory, as incidents will happen. Incident management is also a team sport, which both requires sharing amongst operators and government agencies but also with the supply chain. Exercising is key to success and the best exercises will also involve the key OT (and IT) vendors.
- Secure by design is key to achieving innovation. Whilst in the past we may have been able to rely on keeping networks segmented and systems isolated, this is not the model for future innovation. Distributed energy technology requires distributed and interconnected data communications. Cloud services and the Internet of Things don’t just connect to the Internet they are inherently part of the Internet and need to be fundamentally secure in their design. This will require further work on industry standards and assurance processes.
All of these topics created much interest for future work, particularly for collaboration on guidance and shared initiatives. If you attended the meeting and haven’t yet voted on the conference plus future topics please do respond to the email you were sent. Already there is unanimous agreement not only that we should do more events but also a request to progress some of the ideas with particular work activities. We will keep this web site updated.
Prof. Paul Dorey
If you are not already involved and are interested in these ideas then please contact us to express interest.