Connected appliances and devices are revolutionising the nation’s homes, but what does this mean for the utility companies responsible for powering them? How can they ensure cyber security in the age of IoT?
Arqiva’s Chief Information Security Officer, Denis Onuoha, emphasises the importance of safeguarding the utility industry’s smart networks.
A rapidly-developing network landscape
From smart lightbulbs that light up ahead of your arrival to smart thermostats that learn to supply heating around your daily routine, today’s home devices can be programmed to work exactly when and how we like.
Thanks to artificial intelligence (AI), tomorrow’s connected washing machines may be able to self-operate for maximum cost and energy efficiency; automatically starting a cycle at the exact moment energy is cheapest and switching to the energy supplier with the best value tariff.
But this speed of innovation comes with a serious security challenge: with so many devices connected to their networks, how can utility providers remain secure? High-profile data breaches and cyber warfare are on the rise – the infamous Ukrainian BlackEnergy power grid attack springs to mind – so no provider of connected infrastructure can afford to underestimate the ingenuity of those looking to exploit network weaknesses.
As Japan prepares to assess the security of 200 million network-connected devices ahead of the Tokyo 2020 Olympics, it falls to the UK’s utilities industry to pre-empt official regulation and take steps to defend their own systems from cyber-attack.
Partnerships that boost network security
Ensuring total network protection is no mean feat and, for most utility providers, a mix of legacy systems and new technology presents an added layer of intricacy. There’s a balance to strike between investing in new network infrastructure and managing the security risk of older systems before they can be phased out.
But it’s not just kit that needs to evolve; achieving cultural buy-in on a cyber security strategy can be just as tricky. Establishing the fact that security is both an organisation-wide responsibility and an efficiency driver is a good start, but utility companies should also make sure they’re operationally prepared by running network breach simulation exercises.
And still there’s more – utility companies now need to be experts in both engineering and information technology (IT) – as operational technology (OT) and information technology (IT) converge. Network security relies on seamless communication between system hardware and software, and as smart networks incorporate a growing number of technologies, it’s up to the utilities industry to lead the way in innovative, yet secure, network integration.
This is where a trusted, experienced network support partner can make all the difference. Arqiva’s commitment to security extends to everything we do, including our closed internet-independent communications network built to support smart infrastructure. Designed with robust security features baked in, our network uses highly-secure licenced radio spectrum, rather than internet connectivity, to connect smart devices, avoiding the susceptibility of online communication altogether.
Establishing a security-focused supply chain
Of course, a network is only as secure as its weakest link. Even with a fortified infrastructure partner, utility companies cannot guarantee the operational security of their suppliers and affiliates. Cyber criminals are adept at sniffing out any potential chink in the armour, even when it’s via a third party.
So, it’s down to providers to carry out their own supply chain security investigations, checking contractual requirements, auditing suppliers where possible and keeping security investment costs in mind when procuring. For many, the best option is to become members of the Information Security Forum, which means your suppliers are subject to its supply chain assurance framework. Where an organisation may not meet this set of standards, this means you can work with them to improve cyber security measures before moving forward together.
This collaborative approach benefits the utilities sector as a whole; after all, network security is a risk and a responsibility we all share. Introduced in 2018 and somewhat overshadowed by GDPR, the Network Information Services (NIS) Directive reinforces this point – “organisations within vital sectors which rely heavily on information networks, such as utilities, are required to take appropriate and proportionate security measures to manage risks to their network and information systems.” Failure to comply can lead to severe fines.
Keeping utility consumers in the picture
Defending the supply chain becomes even more vital considering that it’s all-but-impossible to manage how customers choose to use energy within their homes. Unless a device is no longer working, it’s unlikely consumers will prioritise upgrades or replacements – that’s a vast number of smart devices and appliances potentially vulnerable to attack. Placing the onus on manufacturers is problematic too, although the utilities industry would do well to work with them to devise a baseline security standard for smart devices.
That’s not to say there’s nothing utility providers can do to help customers safeguard their devices; in fact, open communication can go a long way towards changing consumer consciousness. The banking industry is a great example, by highlighting how to recognise bogus emails and reinforcing the importance of password protection, banks have successfully educated their customers on the risks of online fraud.
Providing guidance in areas like these also helps organisations strengthen trust messages with consumers, which will be crucial as IoT devices become more commonplace. If, for example, utility companies could make energy savings by limiting power to a smart fridge in the early hours, in return for reimbursing the owner’s bill, they will need to be completely transparent in how they go about it.
Prioritising network security today and tomorrow
As technology advances and networks expand, it will take a sector-wide focus on cyber security to create a secure operational state within the utilities industry. Collaboration will build stronger and more secure networks than isolated systems ever could, so it’s vital that providers keep this aim high on the agenda, both as individuals and as a collective.
Denis Onouha
Chief Information Security Officer