Drax power station, in Yorkshire, supplies eight per cent of the UK’s electricity. Its 3,960 MW capacity is enough to boil two million kettles at once
In a sprawling office building in south Wales, Kevin Jones simulates massive cyber attacks on power grids, factories and other vital parts of national infrastructure. It’s the only way of knowing whether these facilities will cope when the real attack comes, he says.
“I can’t just go and attack a power grid. I can’t just go and attack our own manufacturing lines,” says Jones, who heads up cyber security architecture at Airbus. Although it’s better known for its aircraft, Airbus also provides cyber security protection for the UK Ministry of Defence and French TV network TV5Monde.
The UK hasn’t seen a sustained cyber attack against national infrastructure yet, but it’s only a matter of time before the inevitable happens. Outside the UK, hackers are already causing havoc. In 2014, security researchers discovered HAVEX – a strain of malware that allowed hackers to infiltrate and spy on industrial sites in Europe. In 2015, an attack on the Ukrainian energy grid knocked out power to 225,000 people. A similar attack on Ukraine, just a year later, was even more sophisticated – call centres were jammed so worried residents couldn’t find out what had happened to their power supply.
But if we’re going to confront the threats facing our infrastructure, it’s time we overturned some of the industry’s pervasive lies, Jones says. First up: air gapping – the idea that certain systems can be completely isolated from unsecured networks such as the internet. “Air gaps don’t exist, it’s a myth,” he says.
Power grids are becoming more interconnected and more data-driven than ever before, but that means no air gapping. This is great news for innovation in the energy industry, but it’s poses problems when it comes to security. As things become more connected, they also become more exposed. “If we don’t design these systems with security then we are heading for a major, major problem,” says Jones, who was amongst the speakers at WIRED Energy.
That’s because smart power stations and infrastructure offer up a whole host of new targets to attackers. “As we move to the internet of things we’re going to see this be more and more prevalent,” he says. Jones has his own phrase for the internet of things – he calls it “the internet of trouble”. For him, every device that’s connected to the grid is something that hackers can, and will, try to use to take down the system.
“People are already learning the skills they need to be able to target these kinds of devices,” he says. At the Black Hat conference in Las Vegas earlier this year, he watched a room full of hackers get to work cracking into smart home devices. If an office was full of smart devices without adequate security, a determined hacker could find a way in and block entire networks, effectively grinding operations to a halt remotely.
Against a power station, a similar attack could leave a country crippled. So it’s time, Jones says, that organisations – private and public – take steps to make sure they’re not the weak link in their country’s power network. “Cyber security is a team sport – it’s not the realm of the IT department, especially when it comes to critical national infrastructure.”