6 Dec 2011

Is Britain vulnerable to cyber attack?

As MIT warns the United States may need a cyber shield to protect its power grid, Channel 4 News Technology Producer Geoff White looks at how serious the cyber threat facing Britain is.

Is Britain vulnerable to cyber attack? (Getty)

The idea that hackers could target our power grid, train system or fuel supply scares the pants off politicians.

It’s one thing apologising in parliament for losing a disc full of citizen’s data – it’s another thing trying to explain to them why the lights have gone out in millions of homes and there are three-mile queues at petrol stations.

Yet so far, infrastructure computer systems have felt fairly safe from attack, for a couple of reasons: number one, compared to the fast-moving world of the internet, the machines that control power stations, etc, are usually so antiquated and clunky it seems unlikely any self-respecting hacker would have a crack at them. They are the remit of beardy engineers, not shades-wearing cyber-terrorists.

Number two, most infrastructure systems are not directly connected to the internet, and therefore “safe” from online attack.

‘Dangerously complacent’

Recent events show these assumptions to be dangerously complacent. Nations are now involved in hacking, and taking down an enemy’s infrastructure is too juicy a prospect to be ignored.

And those infrastructure systems are no longer isolated from the internet. The Stuxnet virus, which attacked Iran’s nuclear facilities, wormed its way into an offline area of the enrichment facility’s system, then waited for that system to connect to another, and another, “hopping” its way out to eventually gain access to the internet, and its masters.

Read more: What is Stuxnet?

The idea of infrastructure systems being isolated received a further blow when a pump at a water plant in Illinois blew up on 8 November. An initial report claimed it was the work of Russian hackers. The truth is that the pump simply malfunctioned; the Russian connection came from an engineer who had logged into the system while on holiday in Russia months before the incident.

OK, so the Illinois Statewide Terrorism and Intelligence Center which produced the original report, had a serious case of “Reds under the bed” syndrome. But let’s not miss the important point – an engineer was able to log into a critical US water system remotely from Russia. I think that’s serious in itself.

The threat of cyber-warfare in Britain (Getty)

Britain’s problem

Britain will soon have to get to grips with this problem, as our power network changes. At the moment, we have power generators who run the nuclear plants, wind farms, etc. They then feed into the National Grid, which feeds into our homes. It’s a one-way process, and each stage of it can be fairly easily controlled from a network security point of view.

That will all change as we switch to a “smart grid”. Remember the wind turbine on David Cameron‘s house? Well, in a world where consumers of energy are also creators of energy, the one-way power system no longer works; there must be a method of sharing and transferring power around. This makes it increasingly hard to control and secure the network. (There was an excellent report on all this from the Energy Networks Association.

I’ve been told there have been electronic attacks on our power network.

So how safe is our infrastructure? I’ve been told that there have been electronic attacks on our power network, but so far have found this impossible to substantiate.

Our power stations, rail network, fuel supply lines, etc, are overseen by the reassuringly-named Centre for Protection of National Infrastructure. It “invites” power suppliers to fill in a self-assessment questionnaire about their systems’ security. These questionnaires are not published (even the Energy Networks Association report authors couldn’t see them), and my Freedom Of Information request for them proved predictably fruitless.

Not that the energy providers have been complacent; they were one of the first groups (after the finance sector) to set up a forum where they can meet off-the-record and share information about electronic attacks. The problem I have with this is that in the absence of any public information, we simply have to accept that our nation’s energy supply is in safe hands. In the wake of Stuxnet and the Illinois incident, I’m reluctant to do so.

You can get in touch with Geoff White on Twitter, @geoffwhite247.