CS Mar-Apr 2024
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
energy industry<br />
incidents in 2020 - the highest number<br />
recorded in at least 12 years. Moderate is<br />
the second-most severe category and is<br />
described by the ONR as an incident<br />
where there has been "a significant<br />
departure from expected standards".<br />
The rising number of reported incidents<br />
comes amid a fall in security inspections<br />
carried out by the regulator. There are<br />
concerns that during 2021 the frequency<br />
of nuclear security inspections carried out<br />
by the ONR may have fallen to its lowest<br />
level in at least four years. Data obtained<br />
in a separate freedom of information<br />
request shows that in 2021, up to 17<br />
December, just 136 security inspections<br />
had been carried out by the ONR, down<br />
from the full-year figure of 144 in 2020<br />
and 169 in 2019. Information security<br />
inspections are among the types to have<br />
seen the biggest decline, with only 40<br />
carried out in 2021 up to 17 December,<br />
down from 74 over the whole of 2020.<br />
Dorfman said this was particularly<br />
worrying, given the growing risk of cyberattacks<br />
on nuclear infrastructure. "There<br />
is no question that nuclear is operating<br />
in an increasingly dangerous and unstable<br />
world where the threat of statesponsored<br />
or non-state cyber-attacks is<br />
increasing."<br />
In a statement, the ONR commented:<br />
"We welcome the increase in reported<br />
events, as our analysis indicates that<br />
this reflects improvements in security<br />
awareness and culture across the<br />
industry. The vast majority of reported<br />
events (80-90%) are minor breaches of<br />
security arrangements, which have been<br />
proactively reported to us." The regulator<br />
also said it believed its engagement with<br />
nuclear operators had increased over<br />
recent years, despite the decline in official<br />
inspections. It added: "The data we<br />
provided under freedom of information<br />
law relates only to on-site compliance<br />
inspections and does not include other<br />
assessment work. This separate regulatory<br />
scrutiny, which is not represented in the<br />
data, is essential to ensure site security<br />
arrangements comply with the law and<br />
includes site visits to reinforce regulatory<br />
judgments."<br />
COMPLEXITY OF CRITICAL<br />
INFRASTRUCTURE<br />
According to Allianz, critical infrastructure<br />
systems like those driving power<br />
generation, water treatment, electricity<br />
production and other platforms are<br />
interconnected to form the energy 'grid'.<br />
Although beneficial to the public, this<br />
grid is vulnerable to cyber-attack by<br />
'hacktivists' or terrorists.<br />
Imagine, during a particularly harsh<br />
winter, a group of hacktivists spreading<br />
panic by bringing down the US power<br />
grid, millions of homes and businesses<br />
plunged into darkness, communications<br />
cut, banks going offline, hospitals closing<br />
and air traffic grounded. While such<br />
a scenario sounds apocalyptic, it is a<br />
realistic threat, according to Idan Udi<br />
Edry, chief executive officer at Nation-E,<br />
a provider of cyber security solutions that<br />
safely allow customers to connect their<br />
infrastructure to the internet, thereby<br />
enabling them to connect and control<br />
critical assets remotely and safely.<br />
Critical infrastructure, like power<br />
generation and distribution, is becoming<br />
more complex and reliant on networks<br />
of connected devices. Just decades ago,<br />
power grids and other critical infrastructure<br />
operated in isolation. Now they<br />
are far more interconnected, both in<br />
terms of geography and across sectors.<br />
As the US power grid scenario highlights,<br />
the failure of one critical infrastructure<br />
could result in a devastating chain<br />
reaction, says Edry. Unsurprisingly, the<br />
vulnerability of critical infrastructure to<br />
cyber-attacks and technical failures has<br />
become a big concern. And fears have<br />
been given credence by recent events.<br />
In December 2015, the world witnessed<br />
the first-known power outage caused by<br />
a malicious cyber-attack. Three utilities<br />
companies in Ukraine were hit by<br />
BlackEnergy malware, leaving hundreds<br />
of thousands of homes without electricity<br />
for six hours. Cyber security firm Trend<br />
Micro says the malware targeted the<br />
utility firms' SCADA (supervisory control<br />
and data acquisition) systems and<br />
probably began with a phishing attack.<br />
The blackout was followed two months<br />
later by the news that the Israel National<br />
Electricity Authority had suffered a major<br />
cyber-attack, although damage was<br />
mitigated after the Israel Electricity<br />
Corporation shut down systems to<br />
prevent the spread of a virus.<br />
The energy sector is one of the main<br />
targets of cyber-attacks against critical<br />
infrastructure, but it is far from being<br />
the only one, of course. Transport, public<br />
sector services, telecommunications and<br />
critical manufacturing industries are also<br />
vulnerable. In 2013, Iranian hackers<br />
breached the Bowman Avenue Dam<br />
in New York and gained control of the<br />
floodgates. Oil rigs, ships, satellites,<br />
airliners, airport and port systems are<br />
all thought to be vulnerable, and media<br />
reports suggest that breaches have<br />
occurred.<br />
SOARING CYBER-ATTACKS<br />
Cyber-attacks against critical<br />
infrastructure and key manufacturing<br />
industries have soared, according to US<br />
cyber-security officials at Industrial<br />
Control Systems Cyber Emergency<br />
Response Team (I<strong>CS</strong>-CERT), the US<br />
government body that helps companies<br />
investigate attacks against I<strong>CS</strong> and<br />
corporate networks. It reported a 20%<br />
increase in cyber investigations in 2015<br />
and a doubling of attacks against US<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2024</strong> computing security<br />
27