I read with interest on BBC news today comments made by director of GCHQ (Government Communication Head Quarters) Iain Lobban saying that the UK’s critical infrastructure – such as power grids and emergency services – face a “very real and credible threat from cyber attack”.

Speaking to delegates at the International Institute for Strategic Studies, he stressed that the country’s future economic prosperity rests on ensuring a defence against such assaults. Apparently, around 1,000 malicious emails a month are deliberately targeted at government computer networks.

He also said that the threat offers an opportunity if the UK can get its defences right and maintain integrity of financial and commercial services, which will lead to competitive advantage.

What struck me were the words “real and credible threat”. Coming from a man at the centre of the intelligence industry, I’m inclined to take him seriously.

If power grids are attacked, the problem could be far wider reaching and affect far more businesses and organisations than a cyber attack on a specific computer system.

For years we’ve been working in partnership with our customers to protect against power interruptions caused by unforeseen or unfortunate circumstances, like natural disaster, human error, freak weather – all the kinds of events that when they occur can be devastating but that are not deliberate and therefore can be imagined and planned for. Here we are dealing with – and having to protect against – something equally devastating, the threat of which is growing like an alien force but the like of which it seems impossible to imagine.

On a positive note, however, there is much that can be done by businesses to ensure power continuity – independent of the national infrastructure – even if the National Grid were to suffer such an attack. And with such threats looming, it really is a case of “not if, but when” those power continuity systems will be required to come into their own.

I feel short-changed, having read the specifications and code of practice of the new business continuity standard BS 25999 from BSI. As I mentioned here the other day, problems with mains power supply are far more common than most potential disasters. Incidents of interruption in electricity supply stood at 21 million in 2006 (according to a DTI report), other disasters (such as fire, flood, terrorism, public disorder and so forth) combined could not reach that total. Securing electricity supply is not merely about installing UPS, as with BCM it requires a well thought through and planned out strategy and this is not mentioned once in either the code or specification.

I do not wish to appear to knock the standard. It is, in my view, long overdue and much needed. But I feel that by not specifying a power continuity strategy, it is left wanting. Without electrical energy there would be no business continuity for most businesses and operations. That is a fact. It should, therefor, in my view be a central theme for any BCM strategy and therefore mentioned in BS 25999.

If you want to know more about what constitutes a power continuity strategy read The Power Protection Guide.