The U.K.’s electricity middleman Elexon got a massive shock after the company suffered a cyberattack. The company’s internal systems were targeted in the attack. Elexon plays a key role in the balancing and settlement of the U.K. power system and has close ties with core power system programs and processes with the U.K. system operator.
The company in a statement said, “ELEXON’s internal IT systems have been impacted by a cyber-attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only. We are currently working hard to resolve this. However, please be aware that at the moment we are unable to send or receive any emails.” In an ensuing statement, it added, “We have now identified the root cause and we are taking steps to restore our internal IT systems. BSC Central Systems (and their data) and EMR remain unaffected and are continuing to work as normal.”
The incident can be classified under the umbrella of an attack on the critical sector, as Elexon is also responsible for settling payments between generators, suppliers and traders, as well as handles EMR payments – government contracts for difference (CfDs) for renewable generators. It also works very closely with the National Grid ESO. In simpler words, Elexon is among the key companies that ensure the lights in the U.K. stay on.
To detail, Elexon calculates the volume of electricity produced by a certain power station against the quantity sold by the electricity suppliers. These are then compared with the organizations contractual numbers of production and selling of electricity.
Since Elexon’s operations have nothing to do with the actual power grid functioning, zero impact to power supplies was registered. This was also later confirmed by the National Grid ESO’s tweet, “We’re aware of a cyber-attack on ELEXON’s internal IT systems. We’re investigating any potential impact on our own IT networks. Electricity supply is not affected. We have robust cybersecurity measures across our IT and operational infrastructure to protect against cyber threats.”
This is not the first incident where critical U.K. body has been affected by a cyberattack. Earlier this year, the U.K.’s Financial Conduct Authority (FCA) apologized after it accidentally exposed the confidential details of around 1,600 consumers who complained against it.
U.K. Suffers Cyber Readiness Deficiency
Both the incidents highlight a trend of lack of cyber readiness among U.K. organizations. According to a survey from data security firm Clearswift, around 70% of financial firms in the U.K. reported security incidents in 2019, in which half of the incidents occurred due to internal errors. The research, which surveyed 100 senior business decision-makers from financial organizations in the U.K., highlighted that most of the attacks have originated due to employees who failed to follow proper data protection policies. Apart from employees’ errors, the survey also revealed other reasons that led to attacks, including downloads of malware or viruses from third-party devices like USBs, and file transfers to unsecured sources.