Protect Cybersecurity Spending to Avoid Attacks on Energy Infrastructure

Cyber security
Energy infrastructure in the UK is at risk of devastating cyber attacks, according to security experts, December 27, 2014. Dado Ruvic/Reuters

Defence budget cuts could leave the UK open to a devastating cyber attack, according to analysts.

The former head of the U.S. National Security Agency warned last week that western countries such as America and the UK face a "doomsday" scenario where cyberterrorists could knock out electricity and water infrastructure while also paralysing financial sectors.

The UK coalition government committed £650m in new investment in its national cyber security programme in 2011 over the course of four years. This was boosted by a further £210m up to 2016.

However, with a defence spending review due after the election, it has not been made clear whether this budget will be protected.

Ewan Lawson, senior military research fellow at defence thinktank the Royal United Services Institute, says spending on cybersecurity must be protected to prevent attacks on energy infrastructure with "catastrophic" consequences.

He points to a cyber attack in December which caused massive infrastructural damage at a German steel mill. Hackers used booby-trapped emails to capture login details from employees, which they then used to access the plant control system. The hackers stopped the proper functioning of a blast furnace, forcing an emergency shutdown which caused the damage.

"I think the defence budget clearly has a role to play in cyber security," says Lawson. "With cuts plus ringfencing of spending on other things means your room to manoeuvre in where you spend your money is gone."

Lawson also points to vulnerabilities in the UK business and financial sector, which he says are less efficient at sharing data on potential cyber threats than the U.S. business sector.

Caroline Baylon, research associate in cybersecurity at the Chatham House security thinktank, adds that cyber security must remain a priority not just for the government but the business sector.

"Obviously we do need way more spending on cyber security, but it's not just government but also businesses and the raising of awareness about cyber security which is at issue," says Baylon.

Baylon adds that much of the UK's energy infrastructure is not designed to cope with sophisticated cyber attacks. Water systems, power grids and gas supplies could all be put at risk by actors looking to exploit vulnerabilities in critical infrastructure.

The attack on the German steel mill was rare in causing physical damage to infrastructure. Another attack which caused physical damage was the Stuxnet worm, which caused centrifuges in Iranian nuclear power plants to fail and was blamed by Tehran on the U.S. and Israel.

Baylon says that such examples set a precedent for future attacks.

"Our critical infrastructure is very vulnerable because we didn't design security in at the beginning," says Baylon.

Speaking at an energy conference last week, General Keith Alexander, who led U.S. strategy on cyber security for much of the last decade, named five countries as capable of conducting cyber warfare at the highest level – the UK, U.S., Russia, Israel and Iran.

A report by cyber security firm Cylance Corp found that Iranian actors have hacked into critical infrastructure in the UK, France and Germany, as well as U.S. military emails.