The biggest threat to operations

Victor’s role is to ensure that Schneider’s solutions and services are being delivered to the UK and Ireland business sector from a security perspective, as well as collaboratively with the government and market peers. Alongside this, he is raising awareness of ransomware and it being the current biggest threat to company operations.

In the UK industrial sector, there is currently a lot of collaborative work taking place around the government’s objective to make the UK the most secure location in the world to do business with. “In the last couple of years, the industry has seen a drive to ensure that everyone is pulling in the same direction. And the government is revising its Network and Information Security Directive-related legislation, aligning with the EU’s own NIS 2 update.”

The changes will have implications for the whole supply chain, requiring a wide ecosystem of essential service providers and manufacturers to rapidly advance cyber security maturity to minimise risk. In both the UK and EU, connected businesses throughout the supply chain will be expected to be cyber secure, with responsibility extending to friendly third-parties connected to systems through remote access. For utilities, this is especially crucial as any business involved in the supply chain risk huge fines.

There have been numerous changes that have impacted the sector over the last five years, specifically geopolitics, and they have influenced how businesses operate.

Because of the recent disruption, the sector has seen a stark increase in the level of ransomware attacks. “Ransomware is the biggest threat to operations right now and it is making annual profits of over $1bn per year, with more money being made from ransomware than narcotics,” Victor commented. He emphasised the call for regulation due to the fact that ransomware is being run like a business; sophisticated operations with product managers, technicians and specialists who are often backed by nation states.

Ransomware and a risk-based approach

To mitigate this threat, Schneider Electric has urged manufacturers to take a risk-based approach to security. He continued: “One of the key drivers is understanding where the risks are in managed services. Once we know these, we can see where we need to make most of our investments, rather than thinking of a legislative approach to regulation. This can just become a tick box exercise, and doesn’t necessarily make you any more secure.”

He went on to explain that there are three steps that attackers will take to gain access to an area of interest. The first is compromising the source; someone who works for the targeted organisation such as a chief technologist or a senior executive. “This is why it is important to consider what you do as part of your public profile, because it is used as part of the reconnaissance process to identify persons of interest. The persons will then be targeted through phishing,” he explained.

If the attacker cannot gain access through an insider who works for the organisation, the next step is through the people who provide the services. This is why Schnieder Electric are pushing for managed service providers to become part of the regulatory authority. “The government needs to bring managed services within the envelope. The first step is targeting the senior insider, but after that, it is about targeting the networks that are associated with them to find the asset of interest.”

The second step is exploiting the baseline level of cyber security for operators. Therefore, minimal levels of protection such as firewalls or password changing will need to be increased and additional layers of security added. “We’re adding to the systems to protect the network to a higher level of capability within an organisation,” added Victor.

“The third step is the assets. If you aren’t targeted directly, you will most likely be compromised in some way, shape or form,” said Victor. Schneider Electric are trying to minimise the level of compromise so that organisations can get assets back up and running in the shortest time possible. If companies are attacked, they are most likely to be suboptimal for three to four months, which can cause a considerable loss of revenue for an organisation.

Raising the bar

Victor added that the enhanced level of security requirement for utilities is going to be in effect by 2025, which is right round the corner. “There will be some exceptions to that which will be extended to 2027, and for people who are in other associated sectors such as energy or oil and gas – the other target organisations that come with NHSE expectations that will be enacted by 2027,” he said.

However, thinking of how different organisations run with project timescales, getting the capital in place with projects and the looming 2025, or even the 2027 deadline to get targets in place in time, will create some barriers.

Driving towards net zero

“We’re trying to move towards a net zero target and we can all see the benefits of that. We have been trying to reduce waste ourselves within our processes and procedures for the last 50 years,” said Victor. Reducing waste from an energy perspective means the industry needs to digitally transform in order to fully understand where the waste is in real time.

However increasing that digital footprint and connectivity also increases the attack surface which is then used by malicious actors to gain access to our systems. That has a knock on impact on business resilience. So, from a network perspective, as the industry moves towards renewables, the energy sector is becoming more fragile and open to attacks, causing complete power blackouts. “This has given attackers the idea that a single event could cause catastrophic outcomes to a large area.” This is one of the drivers from the directive; to increase the resilience of businesses so they can protect themselves against attackers with higher capabilities and if they are impacted, to get back to business as usual as quickly as possible.

Supercomputers and solutions

As an industry, we are also seeing artificial intelligence and quantum computers being deployed more and more. “IBM has stated publicly that if you’re not interested in quantum computers now, then you’re probably too late.

“Once a quantum computer becomes active within an environment, it is going to render current practices useless. So, the RSA type keys (the public-key cryptosystem used for secure data transmissions) that we use for our day-to-day activities will have to be hardened and strengthened. This could be only five to ten years away.”

Thinking from an industrial process perspective, when deploying an asset, it is expected to be in place for 10, 20 or 30 years. This means there is a high chance that the industry is already deploying equipment with technical debt from a quantum computer perspective.

“We do not want to make the solutions too sophisticated for the customer,” Victor said. “When we go beyond the typical firewalls, passwords and we need additional protection systems, there’s often an increase in complexity in the solutions being delivered, so we must continue to think about ways that we can simplify those.”

He added that we will need to ensure that subject matter experts within operations can sustain these systems once they are delivered so they don’t end up as a factory acceptance tests and then gather dust on-site.

Cyber skills gap

“In the UK we have had an engineering gap for the last 20-30 years in terms of lack of investment in people and skills. But this also translates to a cyber skills gap, and creating a multi-layered approach to implementing higher levels of cyber security capabilities,” explained Victor.

But cyber is one of the areas where companies would have no difficulty hiring if the skills were available. Something that Schnider Electric feel is important from an education perspective is making cyber a core to basic foundational skills. “Once we get into delivery from a people perspective, cyber skills are also going to be business as usual as far as your day-to-day activities are concerned. Electrical engineering, civil engineering and process engineering will all have to have a certain, minimum level of cyber skills just to deliver day to day activities,” he added.

Collaborative effort

The government now has a discussion document to ensure company directors are aware of their responsibilities around investment in cyber security, as it has traditionally been an area that has seen under-investment across the board. However, there is now a heightened risk and industry is on the front line. Ransomware is a geopolitical tool so we have to raise investment in line with that risk. Schnider Electric assists companies in this regard; with the implementation of a collaborative effort and around capabilities and skills.

“There is a collaborative effort driven by the Department of Net Zero which includes government, operators of essential services and technology providers, like Schneider Electric, Siemens, ABB, etc. This is for us to come together to think about how we can ensure security in the supply chain and procurement,” Victor explained.

There’s three key pieces that go beyond just cyber compliance that businesses need to be aware of. First is the recognition that business risk is tied to cyber risk. After that, it’s raising investment and ensuring it closes that technical debt gap. And then thirdly, making sure that the capability and skills are moving towards business as usual for at least 2027.

Three takeaways

“We must impose a cost on the adversary and not make it easy for the attacker to get in through the insider and into the network to the asset. That is part of raising the bar.

“We must also mitigate the threats and make those mitigations less complex – that can be provided through more integrated solutions that organisations like Schneider Electric are working on. And then finally we have to close the capability gap – and we do this via raising awareness, providing training and also additional resources to organisations in industry to help people build together.”