Elexon announced last week that their internal IT had been impacted by a cyber-attack. Specific detail about the attack was not, understandably, released although there has been some speculation in the media. Elexon plays an important role in the UK electricity market by operating the Balancing and Settlement Code (BSC) and facilitating payments between generators, suppliers and brokers. Although the ‘critical national infrastructure (CNI)’ systems at the heart of electricity market operations were unaffected, the incident is nevertheless embarrassing for this ‘middleman’ organisation.
Coincidentally, the incident caught the Badger’s eye just after reading the UK Department of Digital, Culture, Media & Sport ‘s March 2020 Cyber Security Breaches Survey. Broadly, the report concludes that with Board attention on cyber security and the advent of GDPR, organisations are becoming more resilient to cyber-attacks and faster at recovering from breaches, but less likely to report the negative impact and cost of breaches. The report also reiterates that the nature of cyber threat is continuously evolving and that organisations are experiencing attacks more frequently than 5 years ago. Essentially, progress is being made but there is still lots to do and no organisation can be complacent.
The Elexon incident is yet another reminder that organisations and the public in today’s digital world can never be immune to cyber threat from ‘bad actors’ of any type. It is a reminder that personal and organisational cyber security awareness, diligence, discipline, and professionalism are essential if threats are to be minimised, attacks repelled, and security, data, and privacy preserved. The fact that the Elexon incident did not impact the electricity market systems per se, or the ability to keep the country’s lights on, is not surprising because CNI systems are obvious targets for ‘bad actors’ and their protection is taken very seriously by complying with good advice and guidance from national authorities.
A couple of days ago, a conversation with an acquaintance about the Elexon incident took an unexpected turn. They said if they were a ‘bad actor’ like Blofeld out to destabilise an entire country, they would unleash a simultaneous cyber-attack on all ‘middleman’ organisations similar to Elexon and DCC (for Smart Meters) in all key sectors. Why? It would be easier and simpler than going after CNI systems per se, because the ‘middleman’ is likely to have more weaknesses in their cyber defences. National turmoil would ensue without damaging the CNI itself. Just think, they said, what knocking out all ‘middleman’ organisations simultaneously would lead to in terms of pressure on the government, business frustration, social media backlash, loss of national confidence, political turmoil, international embarrassment and so on. The door would be open for a new regime!
The acquaintance sensed the Badger becoming concerned and suspicious. They quickly pointed out that they were not, of course, actually Blofeld! And, just in case you are wondering, neither is the Badger…
