Blog: The internet threat to energy networks is hacking unbelievable

You could reasonably assume that a power station is fairly impregnable. Those hulking dull-silver or concrete buildings fenced around with brick walls or barbed wire, stringent personnel checks on people […]

Register now!

By Vicky Ellis

You could reasonably assume that a power station is fairly impregnable.

Those hulking dull-silver or concrete buildings fenced around with brick walls or barbed wire, stringent personnel checks on people entering the premises, restricted access to critical areas.

That may have been shown up by the recent exception when anti-gas activists broke into EDF’s West Burton plant and occupied the cooling towers in hanging tents for the better part of a fortnight. But that WAS an exception – and they only accessed the chimneys, not the beating heart of the plant.

Without doubt – and for obvious reasons – physical security is tight around power stations. As an example, friends of mine who wanted a few shots of Kent’s Dungeness power plant for a short film last year were swooped upon by the Civil Nuclear Constabulary – the UK’s armed nuclear police – and asked what they were doing, despite being out of view from any obvious security presence.

Further from home, officials at the site of the nuclear disaster Chernobyl in Ukraine don’t permit visiting tourists to take pictures in any direction except directly towards the ruined plant covered by its protective shell, in case the images could be used for dodgy purposes.

The threat of terrorism is understandable for plant operators and governments alike. If an unpredictable natural disaster (think Fukushima) or a manmade one (think Chernobyl) can be dangerous, how much damage could a deliberate, targeted attack cause?

It is a sobering thought. But far more sobering is the ease with which a potential hacker could affect the operational systems of a plant without stepping foot in the building – or even being in the same country, if you go by new research in the United States.

This week it was reported that security consultancy InfraCritical has found thousands of computer systems controlling power processes in the States which could be at risk from cyber-attacks.

Out of those 500,000 potential targets, the US Government’s Department for Homeland Security singled out 7,200 important targets which could be found online and is contacting the firms who own these computers to warn them.

Now, the researchers at InfraCritical didn’t test the computers to see how well they were protected – and it would seem likely they had a modicum of protection. But I don’t like the idea of a hacker getting anywhere near that sort of kit – do you?

What’s more, as ELN reported yesterday, a British security firm believes utilities and power firms on this side of the pond could also be at risk because of outdated software.

Chris McIntosh of ViaSat UK reckons the trend towards automation “has granted malicious attackers a multitude of ways to cause major disruptions” which could potentially lead to blackouts of entire regions.

While this is marginally less Machiavellian than blowing a power station sky high, it’s still hairy stuff. It seems this is yet another area where the energy sector needs to wise up and enter the 21st century – or else risk far more than a Trojan Horse on the company laptop.