Cyber risks associated with energy technology are high on the agenda for UK businesses with two-thirds (65%) significantly concerned about the issue and over half (51%) worried that their client data isn’t handled securely enough by their energy supplier, according to the latest PwC B2B Energy Survey.
This ongoing concern comes at a time when energy suppliers are delving ever deeper into smart energy technology for both corporate and domestic markets, with businesses actively weighing up the benefits of technological innovations to reduce energy costs and cut carbon emissions.
According to the survey of over 500 UK businesses, if their energy supplier fell victim to a cyber-breach, three in five (57%) businesses, and almost 70% of industrials, would switch supplier – a figure that should sound an alarm across the energy sector according to Steve Jennings, power and utilities leader at PwC.
“Against a backdrop of technology innovation, privacy regulation, and the growing adoption of the Internet of Things, it’s perhaps not surprising that UK businesses are concerned about cyber threats – a finding that is mirrored in our recent CEO Survey1, where cyber ranked as a higher threat than the speed of technological change.
“With cybercriminals able to turn off the supply tap as well as monetise data from energy firm’s customer and employee digital records, the risk is clear and cannot be ignored.
“It’s vital that energy suppliers gain the confidence of their customers by clearly demonstrating their ability to not only identify innovative technologies but critically to enhance their cybersecurity capabilities to respond to a range of sector specific events that could increase vulnerability.”
Energy supply and third party threats
Cyber security and data privacy are increasingly being recognised as risks to systems – from power stations to networks to smart meters – and business/consumer data held by suppliers, as well as any third party IT or financial alliances. In addition, the growth of smart, connected propositions related to distributed generation, batteries, electric vehicles and smart heating & lighting exposes new systems and controls to threats from external attackers.
Demonstrating the enormity of these risks, PwC and BAE Systems recently uncovered a global hacking group (APT10) which was targeting providers of managed outsourced IT services.
This provided a route into their customers’ organisations around the world and gained them unprecedented access to intellectual property and sensitive data.
This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – and is one that should also serve as a call to action for suppliers.
According to Niko Kalfigkopoulos, PwC cyber specialist, there are a number of steps smart energy suppliers can take to ensure they are operating at a high level of cyber security maturity and , crucially, give their customers’ much needed reassurance that their data and security of supply is protected.
With suppliers increasingly focused on analysing energy consumption and user behaviours to drive business decisions, many are now combining data from smart meters and connected homes devices into a single data warehouse – or data lake. While encryption is key to protecting this data, suppliers continue to place a large amount of reliance on security mechanisms provided by third parties and there is uncertainty as to the effectiveness of these mechanisms. As a result, suppliers should consider only partnering with trusted third parties and allowing just a small number of these smart devices to connect to their ecosystem, a move that could minimise the risk from rogue devices.
Other suggested strategies include:
- Reviewing incident response capabilities and how data breaches are managed, particularly in light of the incoming General Data Protection Regulation requirements for timely reporting of data privacy incidents.
- For cloud services, suppliers should seek provide third party assurance over the service provider they use to ensure they are effectively managing the risks to customer data.
- Customer privacy must be prioritised and transparent; strategies for privacy by design and communication to the general public of how they are managing customer data are required.
- Suppliers should push for a form of industry standard product assurance, which would allow them to label their devices as ‘approved’ and reduce their exposure to being left at fault if the customer adds ‘unapproved’ devices to their network.
Niko Kalfigkopoulos, said:
“With around a third of industrials and over a fifth of commercial organisations planning to spend more than £1m on smart energy technology, the need for utilities – and smart technology suppliers in general – to get their cyber house in order is vital. Those organisations that react now with effective and transparent strategies will be the winners in the long run.
“This will not only help them in defending their own internal systems, it will also help improve the security of their connected home and smart technology offerings.”