Protecting the UK’s power from cyberattacks

A country can’t run without electricity, but how do you ensure the UK’s largest single site generator is safe from cyber threats?

At the heart of all aspects of modern life is a common resource: electricity. We need it to power our homes and our devices, to do our jobs and increasingly with electric trains, trams and cars, to get from A to B. For that electricity to be generated we need power stations.

They’re a critical part of the UK’s infrastructure, and so for terrorists and foreign states that have much to gain from disrupting the country, electricity generators are an obvious target.

Drax Power Station is the UK’s largest, with the capability to generate enough electricity to power every home in the north of England. With this mantle comes a higher risk of security threats – notably cyberattacks. Protecting the plant from these attacks is not only essential for Drax’s business, but for the safety of the country.

The threat of cyberattacks

Cyberattacks exist in the digital space, but can have a very real and tangible effect on the physical world. Between 2007-10, a computer virus later called Stuxnet attacked the Iranian nuclear programme, damaging a number of the centrifuges – a key part of the nuclear manufacturing process. As a result, Iran was forced to decommission roughly 1,000 centrifuges.

In a separate attack, 35,000 computers belonging to the Saudi energy company Saudi Aramco were partially wiped and destroyed, disrupting Saudi Arabia’s ability to supply 10% of the world’s oil. Over the past few years the threat of malicious entities has only increased – an alleged nation state attack on Ukraine’s power grid in late December 2015 left thousands of homes without electricity.

Drax is not immune to similar attempts – every month, the security team investigates about 1,000 issues. On an average month, two of the 1,000 are judged to be serious enough to warrant further investigation.

This is where Darktrace comes in.

Identifying the threats 

Darktrace is an incredibly powerful system that identifies and deals with threats to Drax. It starts by getting to know you.

It learns every single device on the network, its speed of traffic, and the patterns of each user’s daily work behaviour. For example, if a user logs in to the work systems at 8pm but has never done so before, Darktrace will identify this behaviour and flag it as different from the norm.

Flagging each of these events depending on its assessed severity, it maps the devices into a graphic that looks like a galaxy of stars of different colours. Drax’s security team use this to see at a glance which devices need attention and action. 

The result is a view across the whole power station – both the corporate environment and our Industrial Control Systems. Those security experts can then see where there have been issues with password protection, software updates with errors, and where any breaches come from.

More importantly, they can see viruses infecting devices in real time. When the system thinks it might see one, there are three possible outcomes.

Ignore, Throttle, Kill

Once Darktrace identifies any abnormal activity that could be a threat, the system offers three options: ignore, throttle, or kill.

‘Ignore’ means allowing the system to continue as normal. This option would be used if the system flagged something as a threat which human investigation found was harmless.

The ‘throttle’ option is designed for a situation when a virus is affecting one part of the operation of one device, but shutting down the device entirely would disable a critical function. The ‘throttle’ option slows the affected part of the device down to a virtual standstill but allows the device to continue the rest of its operations while the system investigates.

‘Kill’ means removing the unit from the network immediately. If a machine behaves in a way that suggests it could be infected, it can be shut down almost immediately.

Every day, a live dashboard of variables is available to identify problems, investigate breaches, fix any infected devices and then rebuild those systems. It’s a daily schedule that not only ensures the power station can continue uninterrupted, but that the entire country can too.