Concerns over the threat posed by cyber-attacks on power stations and electricity grids is “off the scale” in the UK energy sector, according to a leading industry figure.
No other country in the world has an energy industry as worried about the risk from cyber threats, such as the WannaCry ransomware attack that recently hit the NHS, the former chief of National Grid told the Guardian.
“The UK stands out uniquely on cyber threats. Nowhere else is as worried as the UK about cyber threats: we are just off the scale on our energy system concerns on cyber,” said Steve Holliday.
He said the danger posed to energy systems was coming to the fore now because of the trend away from well-protected, centralised large power stations and towards decentralised power, such as lots of small, flexible gas power plants and solar panels on homes.
There were also a growing number of web-connected devices in energy technology, he added.
One obvious target is the smart meters that are being installed in every home by the end of 2020, to automate meter readings. The Capita-run body set up to handle the data, the DCC, is being treated as critical national infrastructure and the company’s chief technology officer insists the data is safe.
“We don’t hold personal information [on energy supplier customers], we don’t see any form of sensitive data and we are not connected to the internet,” Matt Roderick told a recent industry conference.
Holliday’s warning comes as the UK parliament reels from a “sustained and determined” cyber-attack which left MPs unable to access their emails.
Industry trade body Energy UK said there was a central system for logging threats, to help rapidly counter them. “Maintaining the highest level of security against cyber threats is a top priority for the industry,” a spokeswoman said.
Security experts from the National Cyber Security Centre and companies including Siemens also recently attended a summit on cybersecurity and energy infrastructure, hosted by Energy UK and the Department for Business, Energy and Industrial Strategy.
The issue is not just a concern for the power sector, but for oil and gas producers too. BP said recently that “we are a target for this activity” when asked by shareholders about how seriously it was taking cybersecurity.
“Cyber is high on the agenda. It is one of the key risks the company identifies,” said Carl-Henric Svanberg, chairman at BP. “We were not affected luckily by this [Wannacry] attack, primarily because everybody had followed procedures of continuous updates.”
Brian Gilvary, chief financial officer at BP, said the firm did not share specific information on the number of attacks it faced. However, he said the company had a strategy of repelling what it could, detecting what got through and then cleansing when cyber-attackers had breached defences.
The World Energy Council, a global network of energy leaders, said cybersecurity in the energy sector had been high on the agenda of a security conference in Munich earlier this year. The issue was also raised in May by the Scottish parliament.
PricewaterhouseCoopers recently found that 65% of UK businesses were “significantly concerned” over cyber risks to energy technology. Three in five businesses would switch energy supplier if they suffered a cyber breach, according to a survey of 500 businesses by the professional services firm.