He spoke to City A.M. about the the threat of cyber attacks to energy infrastructure, as well as how businesses and governments should be combating this.
Is the risk of cyber attacks to energy infrastructure increasing?
In the last two years, this issue has really come in some countries basically close to if not to the top of the keep-me-awake at night issues. So cyber is a very big issue for energy infrastructure.
When you say energy infrastructure you’re talking about the whole power grid?
Do you think cyber security as a threat to energy infrastructure is a bigger risk than politicians and the public realise?
Yes, I do. I think it’s a bigger risk, generally in Britain and elsewhere. Britain probably as a country has done more about cyber than many other countries but our observation is that there are two types of risks that we have seen very little response to: supply chain risks which are typically external [to a company], as well as cross-border management regarding shared resources [such as pipelines].
Does Hinkley Point, or a fleet of small nuclear reactors, pose a greater cyber security risk?
I would not think that it’s necessarily a bigger risk for nuclear than gas. I think the biggest risk is the different types of risk: You can have blackout style risks, confidential customer information going out, or you can have your operations in terms of your salaries being paid elsewhere.
Who is likely to be behind these attacks?
That’s not really a question we have asked. The key question we are trying to answer is: what are the possible ways to get your due diligence as smart and as quickly up and running as possible?
Is business doing enough to mitigate these risks?
Industry best practice is still to increase efficiency by using the same type of IT infrastructure, and that by default is a starting point for vulnerability. The question many have started working on is how do you get more discontinuities [variety] into the system. We are testing ideas.
Could you see something like that existing in Europe or the UK one day?
Yes, absolutely. We’re in the stone age of cybersecurity and I think we need to learn a lot. The real learning will only come after the first major incident.
When could cyber attackers strike?
The common feeling in the industry is that this can happen at any time. We’ve seen this happen earlier this year in the Ukraine.
From a system perspective what you don’t want to see is things going black. That would be a disaster and we’ve seen with Ukraine that this is a real possibility. The economic cost of a blackout is just huge. What can you do without energy? Everything stops.
Is Britain underestimating this risk?
Not only the UK. I think generally this risk is almost a case of if you haven’t seen it, you don’t believe it. The risk becomes real once you've experienced it or seen the pictures of this.