Tony Burton, managing director of cyber security & trust at Thales UK looks at smart grids in the UK.
Smart grids are responsible for the distribution and management of the UK’s energy supplies, powering our homes, businesses, and public services. If they’re compromised, the consequences are far-reaching. Widespread power outages, disrupted critical services, misdirected demand, and stolen energy resources are just a few examples.
To date, over two fifths of critical infrastructure organisations have suffered a cyber breach – highlighting the very real risk facing the sector. Thankfully, with the right proactive approach and defences in place, smart grid operators can ensure they are secure by design and resilient, mitigating their chances of attack.
The threat landscape
According to Thales’ 2024 Data Threat Report, attacks on critical infrastructure (CI) are on the rise. This trend coincides with the increasing digitisation and ‘smart’ transformation of power grids in recent years. While this shift allows for better monitoring, optimisation, and management of energy usage amidst ongoing energy, environmental, and cost of living crises, it also introduces significant risks. The digitisation of power grids has expanded the attack surface, providing cybercriminals with numerous entry points through smart grids’ various interconnected and interdependent digital systems.
Common threats include human error (34%), exploiting known vulnerabilities (31%), and failure to apply multifactor authentication (20%).
Concerningly, almost a third (30%) of CI organisations also experienced an insider threat incident.
Establishing a robust defence strategy
With a diverse and complex threat landscape at play, smart grids require robust, multi-layered defences to build cyber resilience. Smart grid risk managers and operators should therefore be rolling out the following framework to mitigate the risk of breaches:
- Establish your foundations: Adopting a “secure by design” approach to cyber security is essential, rather than treating security as an afterthought. Unlike retrofitting cybersecurity into legacy tech, “secure by design” prioritises building robust security mechanisms into the foundational architecture of a product or system from the outset.
- Prioritise compliance: Only 17% of CI organisations who achieved data protection compliance have any breach history whatsoever, and just 2% have been impacted by a breach in the last 12 months. Passing an audit may seem like a tick-box exercise, but there’s a clear correlation between compliance and cyber resilience.
- Safeguard data sources: Protecting sensitive data with the highest levels of encryption will be essential to preventing data tampering. This encryption will create a fortified barrier against those looking to exploit data or tamper with systems, ensuring any compromised data is worthless if in the wrong hands. Appropriate management of these cryptographic keys is also critical and this is 80% about people, process and policy enforcement and 20% about the key management technology.
- Implement the principle of least privilege and MFA: Asset management should be a top priority given the risk of insider threats. Organisations should only grant users the minimum access necessary to perform their job function and should regularly review access rights. Users should also be verified with multi-factor authentication.
- Address human error: With human error consistently emerging as the leading cause of breaches, providing extensive cybersecurity awareness training and exercising will be paramount in tackling this risk and instilling the reality that cyber hygiene is a collective responsibility. This goes beyond your core employees; smart grids still have a supply chain with vendors and third parties who could act as a gateway for cybercriminals, too.
Adopting a ‘when, not if’ mentality
In addition to these robust defences, adopting a ‘when, not if’ mentality to pre-empt breaches is vital. While developing response and recovery plans is valuable, regularly stress-testing your infrastructure is the only way to truly understand the threat level of your environment.
For example, Thales already partners with smart grid operators, using its state-of-the-art ‘smart grid laboratory’ at its Cyber Resilience Lab in Ebbw Vale. Using real-time data, reference hardware and a comprehensive cyber range in a secure, offline environment, these simulations can identify vulnerabilities in networks ahead of time, run hypothetical demos to highlight the impact of outages, and allow operators to assess and improve their cyber-threat preparedness.
Thales’ proactive threat detection capabilities are a critical part of this. Continuous monitoring and advanced detection tools can alert operators when systems are under threat or when suspicious behaviour is detected, allowing them to act appropriately to mitigate the threat. This will harden systems to be proactive – not just reactive. In a complex environment with increased AI and machine learning it is critical these learning behaviours are proactively monitored to ensure good learning is encouraged and bad learning is identified and mitigated.
The final word
Hackers have always taken advantage of turbulent periods or high-stakes infrastructure – whether it be for financial gain, political goals, or other malicious ends. Smart grids are no exception.
To navigate the high-risk landscape, organisations must prioritise robust defences and proactive measures in equal measure. Regularly assessing security vulnerabilities with simulations, rolling out effective threat responses, and keeping software and hardware defences updated according to regulations and best practices will establish a well-rounded response to the ever-evolving cyber risks that smart grids encounter.