Water Industry Journal talks to Andy Wall at Atkins about the threat of a cyber attack on your company and the potential consequences.

As you read this article, someone somewhere may be targeting your company with a cyber attack and the first you will know about it is when a vital component of your pumping plant shuts down. The resulting chaos could disrupt your operations, damage your reputation and cost you huge amounts of money.

An unlikely scenario? Not according to Andy Wall, Head of Cyber Security at global design, engineering and project management consultancy Atkins, who believes that the threat facing companies in utility sectors like the water industry has never been greater.

His particular concern relates to attacks on Critical National Infrastructure, those facilities, systems, sites, information, networks and processes that are necessary for a country to function and upon which daily life depends.

Although the threat covers all the utilities, Andy argues that the water sector faces distinctive challenges due to geography, multiple sites, a mix of legacy and modern technology and the critical nature of water in human life. In the UK, there are 13 national infrastructure sectors ranging from water, energy and chemicals to nuclear, defence, finance and health, and all are under constant bombardment.

Andy said: “Attacks on these systems come from two main sources, one of which is nation states and terrorist organisations like those in the Middle East.

“Their primary aim is to disrupt systems. Their motivations are political and they know that if they can shut down something like a water pumping system they can cause massive disruption. They are looking for something that will have a crippling impact on society.

“The other people behind the attacks are criminal gangs who are looking for opportunities to exploit security weaknesses for financial gain. For example, it is easy to send emails containing links, with different websites behind those shown, that lead to ransomware that forces a victim to pay to free their system.

“While there have been some targeted attacks – for example against a power station in Ukraine and which was linked to the war with Russia – the vast majority are random sweeps.

“Typical attacks are made by sending out a large number of phishing emails in the hope of finding a chink in a company’s armour.

“A major vulnerability is the end user – people. Despite all the publicity about cyber security, people still make mistakes. They will visit websites they should not, clink on links they should ignore and open email attachments which let the hackers in.”

And they do that despite massive publicity warning about the dangers. Cyber crime has never occupied a higher place on the business agenda. Indeed, cyber offences were recently listed on the police’s annual survey for the first time with the figures showing 3.6 million cases of fraud and two million computer misuse offences in a single year.

And in February, Chancellor Philip Hammond gave a speech in which he stressed that companies need to improve their defences against cyber attacks.

Speaking at the launch of the new National Cyber Security Centre, the Chancellor revealed that the centre had dealt with 188 incidents in its first three months of operation alone.

However, he said, nine out of ten companies do not have a plan to deal with cyber attacks, despite 65 per cent of large businesses reporting having experienced an attack or breach in the last year.

Andy Wall believes that a major problem is human nature. He said: “Historically, security has been seen as a business blocker, which has encouraged people to find ways of getting round it if it frustrates. But people have a major part to play in a company’s cyber defence, and if they believe that it will not happen to them, they are prepared to take the risks that let the cyber criminals in.”

Further complicating the picture is the advent of the Internet of Things (IoT), whereby electronic devices ranging from kettles to machinery in factories are connected to each other via networks.

The positive potential is clear – connected systems lead to more efficient operations – but the threat is pronounced if the networks are not properly protected against cyber attack.

Indeed, in his recent speech Mr Hammond said that the increasing online connectivity of products and systems is a ‘source of vulnerability’ and warned that business must ‘sharpen its approach’.

Andy said: “The Internet of Things really is complicating matters. We had a major incident last year involving kettles and webcams which were used to bombard systems with requests to connect, overloading them and causing widespread disruption.

“People do not think of such things representing a threat. Most of these devices are cheap and disposable so perhaps do not have high levels of security but you could have 1,000 kettles, each connected to the network, which when linked present a much more powerful threat.”

Andy believes that the nature of the water industry also presents a challenge. He said: “The water industry deals in equipment on a long-term basis. You can have equipment that was installed 20-30 years ago and which is still in operational use. It is not like IT in offices, where systems are frequently updated, but we are now seeing a convergence in these systems that actively links the water control systems to IT corporate systems, something that was never envisaged a few decades ago.

“I do not think it is a case of water companies not taking the threat seriously; indeed many do. It is just that this convergence is hard from a security perspective. What tends to happen is that solutions are implemented quickly to make this convergence work and that can create gaps in cyber defences that an attacker can exploit.

“One thing that water companies can do is ensure that they design their security properly. For example, as they operate across geographical sites it makes sense to segment their systems. You may have one reservoir that is 50 miles from the next one and if its pumping system is attacked you want to restrict the damage rather than having it affect other reservoirs.

“Cyber security education is also critical. It is not enough to run a training session and ask people to sign a form saying that they have attended.

“People learn in different ways and you need to understand that. Our work in the oil and gas sector has shown that different information can be targeted at different roles such as plant operators or chief engineers to help people understand how they contribute to a company’s cyber defences. Having cyber security advisors with engineering understanding makes the impact of this education really powerful.”

Andrew.Wall@Atkinsglobal.com
www.AtkinsGlobal.com/cyber