On June 8, 2017, as millions of Britons headed for the polling stations to vote in the General Election, a series of innocuous emails arrived in the inboxes of people working in the UK energy industry.

The emails appeared legitimate, according to people with knowledge of the incident and documents released by UK and US intelligence agencies. Some were job applications with CVs. Others were administrative documents including contracts and legal agreements.

They raised no alarm bells, as they were cleverly designed to resemble messages that staff at power stations and operating electricity distribution networks expected to receive. But they weren’t as innocent as they appeared. All of the emails included Microsoft Word attachments which, when opened, allowed Russian hackers to quietly infect computer networks.

Once inside the networks, the hackers were able to smuggle out documents, including passwords and crucial information about the operation of the UK’s energy grid. But what happened then went far further. The hackers sought out devices which directly controlled parts of power stations.

Over several months, they systematically learned all they could about how the companies and their computer networks operated. After the information was obtained, the hackers attempted to cover their tracks and hide any indication that networks had ever been breached.

The head of the NCSC, Ciaran Martin credit: TMG

Not that the attack came out of the blue – Britain’s energy network - from the National Grid to the Big Six suppliers – has long been a tempting target (known to the British spies protecting it as “Critical National Infrastructure” or CNI) for Russian hackers. But on election day, the Russians redoubled their efforts, knowing that the nation would be distracted by what turned out to be a knife-edge vote.

A warning sent by the UK’s National Cyber Security Centre (NCSC) to energy companies in the days that followed warned that “a number of Industrial Control System engineering and services organisations are likely to have been compromised” in the attack.

Officials viewed the hack as particularly alarming because the level of access obtained by the Russian hackers could have allowed them to remotely control power networks, switching off electricity systems, or causing disruption in the UK’s energy network. Even without such a strike, the election day hack cast a spotlight on the worrying vulnerabilities in Britain’s energy network.

Cybersecurity experts have warned of a “Cyber Cold War”, which involves Russia stealthily researching critical infrastructure in Western countries in preparation for hacking attacks. The head of the NCSC, Ciaran Martin, has warned that “it is a matter of when, not if” a so-called “Category One” cyber attack occurs in the UK, which could cause loss of life, disruption of essential services and a threat to national security if crucial power and defence networks are taken down for an extended period of time.

The UK’s energy network is considered to be particularly vulnerable as demand vastly outstrips supply, with some estimates suggesting that demand will outstrip supply by more than 50pc in under a decade. Even today, however, surging winter demand habitually stretches the country’s power network close to its limit.

As a result, British energy companies are scrambling to update their defences. Ofgem, the electricity and gas regulator, in September announced a boost of up to £96m to the National Grid cybersecurity budget. The move from manual operation of power stations to more modern, automated systems has helped make our energy network more efficient, but has also presented new cybersecurity challenges.

“The infrastructure that's supporting the network is becoming more automated and it's becoming more connected,” said Jonathan Brearley, the executive director for systems and networks at Ofgem.

New computer systems can give hackers potential routes into a power company as control systems need to be hooked up to a computer network. British energy companies are also starting to look closely at their own supply chains. Strong security on their own networks, for example, counts for nothing when a contractor from another business arrives on site with a laptop infected with malware and connects to the power station’s network.

SecurityScorecard, which analyses such attacks, says it has seen a dramatic rise in British companies seeking its services in the last two years.

View more!

Such is the concern about hacking that British energy suppliers have even sanctioned so-called “penetration testing”, which involves paying a “red team” of hackers to attempt to break into the company’s network in order to highlight flaws. Tom Van de Wiele, from the cybersecurity company F-Secure, said that he has conducted red team tests for major UK infrastructure companies.

“We can attack the company any way that we see fit that is ethical, legal and somewhat in good taste,” he said, “to try and see if they have a lack of processes, technology, training and even a very small lack of creativity, because that's really where we excel.”

Energy companies have also been conducting “wargaming” scenarios, which sees them act out how they would respond to serious hacking attacks against their computer networks. These scenarios, which are designed to test the strength of the UK’s energy networks, have included simulations of category one attacks.

“Companies are alive to the risk” of serious, category one cyberattacks, Brearley said, “and [they] are doing what they can to manage it.” Install as many sophisticated alert systems and automated monitoring programmes as you like, but employees are still going to download Microsoft Word documents that can let hackers into your network. Training is being given to staff to help them avoid opening the types of malicious emails sent by Russian hackers.

"Sending phishing emails is a hacking technique which has been around for decades, but people still fall for it. It’s typically either junior or senior employees who are susceptible," said Malcolm Taylor, a former British intelligence officer who now works at cybersecurity business ITC Secure.

“The people who get targeted are very junior because they tend to be new, they tend to be keen to impress,” he said. “They probably haven't had their training yet so they're vulnerable.

“And the very senior who either have a team of people who look at their emails for them and haven't been trained properly or they believe that they should make the rules but not necessarily follow them,” he added. The devastating costs of a successful hack have already been made perfectly clear.

Ukraine has accused Russia of hacking into its energy network in 2015 credit: AP

At 3.30pm on December 23, 2015, Ukrainian office workers were preparing to go home for the Christmas break. But many regions of the country were suddenly plunged into darkness when Russian hackers flipped a series of digital switches that disabled large parts of Ukraine’s energy networks. For months, the hackers had lain in wait inside the computer networks of three energy companies. They had gotten into the servers with phishing emails loaded with malicious Microsoft Word documents - exactly the same technique that the UK saw on election day in 2017.

Mapping out the network – just as they are believed to have done in Britain – allowed them to plunge 230,000 people into darkness and leave them without electricity for several hours during the bitter Ukrainian winter. The hackers also launched a barrage of bogus telephone calls at the call centres of the energy networks, blocking the customer support lines. Customers weren’t able to call the companies to request information on when power would be restored, leaving them concerned about what was happening.

The attack on Ukraine is the worst-case scenario for the UK and fits the NCSC’s definition of a serious, category one hack. An incident like this in the UK would cause the government to debate whether the hack constituted an act of war. For the UK’s energy regulator, the Ukrainian hacking attack was a stark reminder of what can happen when attacks slip through defences.

"What happened in Ukraine is an example of something where things went horribly wrong and that's what we're protecting against,” Brearley said.

View more!

Intelligence analysts suggest that such a crippling strike in Britain is by no means out of the question. “It's definitely increasing,” Max Heinemeyer, a director of British cybersecurity business Darktrace, said of the threat.

“There's a trend we're seeing which is more attacks from all kinds of angles.” Taylor agreed.

“There's no doubt that Russia will be looking at ways to use our infrastructure against us,” he said, “the Russians have fewer scruples. They just killed somebody on the streets of Salisbury with nerve agent.”

And what’s particularly worrying to cybersecurity experts is that energy companies are often faced with outdated systems which can’t be upgraded with proper security software.

The computer networks used by energy companies are “often much messier than people think they are,” said Heinemeyer, whose multiple infrastructure clients include the Drax power station in Yorkshire.

“There's the old school legacy stuff,” he said, “the water treatment plants that have been running for over 30 years where the hardware and software is not even running on Windows and Linux but some small embedded code that was developed 30 years ago by a small company that doesn't exist anymore.”

Across critical national infrastructure, he warned, cyberdefences are often rudimentary, bordering on non-existent. In such circumstances, all the companies involved can do is cross their fingers and hope the hackers strike elsewhere.

“All these legacy things, you can't patch them, you can't install antivirus on them because there's no memory. Implementing any security controls whatsoever is incredibly difficult.”