NTT Data's Take on Cyber Threats in the Energy Sector

We live in a world where cyber attacks are becoming more sophisticated, more frequent and harder to defend against. Add advanced AI into the mix and the problem becomes dire.  

Forming part of the nation's critical infrastructure, energy and utilities firms have found themselves right on the front line. 

For organisations, the pressure to act has never been quite so high – with the UK Government's Cyber Security and Resilience Bill on the horizon and boards now being urged to take personal responsibility for their organisation's cyber defences.

In this conversation with Warren O'Driscoll, Head of Security Practice, Services & Solutions at NTT DATA UK&I, these emerging threats, regulations and their implications to the operational sector are inspected, as Warren explains why the threat landscape has shifted so dramatically and what the leaders of energy and utility firms should be doing about it today.

Why has the UK government put cyber security firmly in the hands of boards?

For a long time, the government has been trying to drive UK businesses to do the right thing, but it’s had to strike a very difficult balance. On one hand, the last thing it wants to do right now is stifle business growth. On the other, it needs to make sure its businesses are, in turn, protecting UK plc.

That’s why it published a ministerial letter on cyber security, urging boards to "take the necessary steps to protect your business and our wider economy from cyber attacks". Its previous attempts haven’t been too successful, so it’s trying to create a sense of urgency. That way, we at least have a fighting chance when threat actors come knocking. 

The geopolitical environment is completely different to what we’ve seen in previous years, with rapid growth in the direct use of AI and other tech to support cyber attacks. These have made it easier for less mature adversaries to present an outsized threat to UK businesses relative to their size and experience, which is also exacerbated by known threat actors funding them and using these smaller outfits as puppets. Together, that’s made attacks far easier to perpetuate.

It's these types of attacks that have caused the government to place responsibility firmly in the boardroom. If you make boards personally responsible, it’s much harder for them to actively ignore it – they have to work on solving it and preventing it, because ultimately, they’re the ones accountable.

What has changed for energy and utilities companies specifically?

Of all the sectors of the economy, the risk is probably growing fastest in energy and utilities. With prices regulated, they can’t easily increase revenues to cover the growing costs of meeting the cyber threat – so they’re being asked to fix more with less. And the threat is expanding rapidly with the rise in operational technology (OT) cyber attacks.

With firms connecting more OT devices – like Supervisory Control and Data Acquisitions (SCADAs) and Incident Command Systems (ICSs) – to IT and cloud networks, that’s opened a massive new attack surface. Attackers don’t need physical access to valves and control switches; not when they can hack the environment from the comfort of their sofa, using the IT equipment to which the OT has been connected. These often decades-old systems aren’t designed for these environments, they lack "secure by design" thinking, and they often don’t have segmentation or risk controls.

On top of all that, there’s a fundamental mismatch in risk and cybersecurity understanding between the physical OT engineers and IT workers on the one hand, and the cybersecurity SMEs on the other. When something digital fails, the engineers on the ground often don’t know how to fix it themselves, while your typical IT support team would fail to fully grasp context of the risk which can create immediate problems or even a threat to life (not a common problem in IT).

Why are energy and utilities firms particularly vulnerable right now?

They’re dealing with risks they simply haven’t had to manage before and, in many cases, they don’t yet have the in-house capability to respond quickly. At the same time, boards are rarely security specialists. Traditional security assessments might flag where controls are missing, but they don’t always surface the risks that really matter.

The double threat of IT/OT convergence and AI-powered cyber attacks have expanded the attack surface, while also widening that gap between physical engineering teams out in the field, IT teams back in the office, and the cybersecurity teams engaged when it goes wrong. For critical infrastructure providers like energy and utilities firms, that combination makes the current threat landscape particularly challenging.

If 90% of boards say cyber is a priority, why is progress still slow?

Organisations are often trying to handle these cyber threats themselves without the correct knowledge or subject matter expertise, which ends up with them spinning their wheels. Boards will acknowledge that cyber is important, because it absolutely is. But with technologies like AI developing so quickly, a lot of the risks and attacks hitting businesses today are things they’ve never faced before.

That means it ends up taking a lot longer to move cyber security forwards within the business. The combination of lack of knowledge and lack of communication can lead to reputational damage that affects a business for a long time.

Where should boards start to turn responsibility into action?

Boards need to start holding their businesses to account. This means making sure that they’re looking at the details of the reports they’re being given and not just taking the high level figures as gospel.

People will take out this piece or that piece of information because they don’t think the board needs to concern themselves with it. By the time information gets to the board, it’s often been deconstructed and simplified to the point that it’s combat ineffective.

So boards should make a habit of drilling down a few more layers to make sure that the information they’re getting is tangible, credible, and correct. They should question whether the information they’re being handed is true, and make sure their subordinates know that they want to see the reality.

Why is supply chain cyber risk such a critical issue for the sector?

Ultimately, it’s because there’s an implicit trust in upstream suppliers. Just because a supplier is a major tech firm with a well-known name, people default to the assumption that it’s trustable. But that rarely involves any actual validation of how hardened that supplier’s security posture is.

Popular suppliers upstream in the software supply chain are increasingly becoming targets for cyber attacks; and with our reliance on such technology giants only growing, businesses really need to take a closer look at where their data and software is coming from. 

You can’t run a business without third parties, but organisations need to get much more clinical about understanding what it is that they’re bringing into their organisations, as well as the potential impacts that could arise if it turns out that they are compromised.

This is particularly relevant for the energy and utilities sector, where firms often aren’t used to conducting such thorough assessments outside their known circle of risks.

What immediate support can boards access from government today?

Frameworks and services like the UK Government’s CAF, the NCSC early warning system and Cyber Essentials can be hugely valuable for UK-based businesses trying to navigate this rocky period and build up their internal expertise. 

You can also bring in external subject matter experts to give you advice and provide the right coaching – helping you to understand what information is accurate or inaccurate, and when you need to dive deeper for the correct answers.

A good first step is to evaluate the risks, and – where required – apply new and additional controls to manage and mitigate that risk. There’s no point applying controls for controls’ sake. You need to start from a foundation of risk assessments, which map your potential vulnerabilities, and gap assessments, which help you work out what you’re missing.

How should boards be preparing for the UK's Cyber Security and Resilience Bill now?

Cyber Essentials should really be the absolute bare minimum. But the truth is that, for larger, more complex organisations, even the so-called ‘basic’ requirements just can’t always be met.

Take patching, for example: it’s really difficult, especially in environments where some technologies are decades old and can’t be effectively protected in this way. Because of this, boards often ask what the smallest thing is that they can realistically do to make a difference. 

The most important thing is to not stick your head in the sand. If boards get good advice and follow it, they can start to address most of these issues today, but in really it is about being open to change and not adopting the "well, this has never happened to me’ attitude.

Just because you make baked beans, rather than bullets or bombs, that doesn’t mean you’re not a target. This is exactly why so much pressure has been placed on boards; they can no longer just point back to ISO standards and call it a day.