11 Oct 2022
by Campbell Hayden

Keeping sustainable start-ups cyber safe (Guest blog by Atkins)

Guest blog by Campbell Hayden, Managing Consultant and OT Cyber Security Lead at Atkins #Cyber2022

With the UK Renewable Energy Market predicted to grow by more than 10% between 2022 and 2027[1], and the government’s Build Back Greener strategy committing £1.5 billion of funding to support net zero innovation projects, there’s no denying that decarbonisation is big business.

Innovation is abounding, particularly within start-ups, as individuals and groups collaborate to create solutions that will help address the challenge society faces to reduce its emissions. But with every innovation comes risk. As new organisations join the renewables sector, developing technologies to help us become more sustainable and achieve our critical net zero emission goals, they become a target for cyber-attack. No matter how laudable a business’s goals, attackers will capitalise upon any opportunity to access and damage their systems – for financial gain, or as part of state-sponsored activities designed to destabilise and disrupt countries’ critical national infrastructure (CNI).

The ransomware risk

Both CNI organisations and the renewable sector have already been subject to cyber-attack and continue to be at risk. One key method of attack is ransomware – where companies’ systems are compromised, and not released until a financial ‘ransom’ is paid in cryptocurrency. In 2021, the National Cyber Security Centre suggested that ransomware is the most significant cyber threat facing the UK, while Jeremy Fleming, the director of UK intelligence and security organisation GCHQ, said that the number of ransomware attacks on British institutions had doubled in the past year.  Of particular concern is the threat of ransomware to Operational Technology (OT), which is likely to grow significantly in the next one to two years.

Recognising the importance of CNI organisations to society – those that provide functions related to government, defence, emergency services, energy, health, transport, communications and water – hackers are repeatedly focusing their sights upon them. A ransomware attack on the Irish Health Service Executive in May 2021, for example, disrupted hospital and healthcare IT networks for ten days, affecting both patients and their families.

The renewable sector is also under attack – particularly the wind industry. Wind turbine manufacturers, Vestas and Nordex, both had to switch off multiple IT systems following cyber incidents; while a cyber-attack on the KA-SAT satellite cause huge disruption to Enercon’s turbines. In September 2022, Canadian Solar, the manufacturer of solar PV modules, was reportedly hit by a ransomware attack, and electric vehicle charging stations in the UK have been accessed and forced to display the hacker’s chosen content on screen.

Seven tips to support start-ups

So how can innovative, environmentally-focused, start-ups protect their cyber security? Advice to new businesses usually focuses on research into the market and competitors, identifying their product or service’s unique selling point, and understanding the opportunities and risks they face. This last suggestion is core to protecting both the business’s digital and physical systems – and ‘baking in’ security to the design, through identifying and mitigating these risks from the outset. Entrepreneurs put their whole energy into their passions, and to protect the company they are passionate about they must direct this same level of energy into ensuring they are resilient to cyber-attack.

Here are seven tips to help start-ups as they begin to build in cyber security to their systems:

  • Identify the systems and information that you need to protect: What key role does each play in underpinning your business objectives, and how would your organisation and customers be affected if they were unavailable or breached?
  • Understand and manage the vulnerabilities of each of these elements: Can they be accessed via your networks, and how could attackers get into your systems? Are your OT environments secure?
  • Monitor any changes: Are there increases in traffic that could indicate a Distributed Denial of Service (DDoS) attack? Are there changes to the configuration of your systems that you and your teams didn’t make? Ensure you can proactively detect any anomalies as early as possible.
  • Have a recovery plan in place: Ensure you know what to do should attackers be able to breach your defences.
  • Test your response and recovery plans against potential scenarios: It can often be useful to have the support of experts at this stage, as they may be able to suggest scenarios that you haven’t considered.
  • Think about your security holistically, including physical and personnel security: Look outside the box and think about the knock-on effect that a small change could have on other, interrelated, systems. And how could an attack on your supply chain potentially affect your business?
  • Train your staff to recognise potential attacks: No matter how small you are, your people are your first line of defence against attack. Make sure they know who to report any security concerns or attempted breaches to, and that you welcome their input.

Renewable and sustainable technologies are likely to form a key part of the CNI of our future, as we respond to the challenge of climate change. To keep this infrastructure safe, it must have cyber security embedded from the outset – secure by design against being held to ransom.


Help to shape and govern the work of techUK’s Cyber Security Programme

Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.

*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.


Upcoming events 

Cyber Innovation Den

On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.

Book now!

Cyber Security Dinner

In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.

Book now!


Get involved

All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.

The Cyber Security Group provides a coherent voice for industry working in "high threat" areas - including defence, national security and resilience, the protection of critical national infrastructure, intelligence and organised crime.

The Cyber Management Committee sets the strategic vision for the cyber security programme, helping the programme engage with government and senior industry stakeholders.

The CSSMEF is comprised of SME companies from the techUK membership. The CSSMEF seeks to include a broad grouping of different SME companies working in the Cyber Security (CS) sectors.

 


techUK – Committed to Climate Action

By 2030, digital technology can cut global emissions by 15%. Cloud computing, 5G, AI and IoT have the potential to support dramatic reductions in carbon emissions in sectors such as transport, agriculture, and manufacturing. techUK is working to foster the right policy framework and leadership so we can all play our part. For more information on how techUK can support you, please visit our Climate Action Hub and click ‘contact us’.

 

 

Authors

Campbell Hayden

Campbell Hayden

Managing Consultant and OT Cyber Security Lead, Atkins