Today, the business of industrial power involves more boarders, more access points, and more outside suppliers with outside approaches than ever before. There’s a lot for cyber security executives in this sector to think about.
Even prior to reaching consumption stage – via the grid – all of the data involved in energy production is valuable and, if not protected, vulnerable. Unfortunately, with the sector being one of the most attractive targets for malicious cyber attack – and the fact that threats change all the time, it’s impossible to guarantee security 24/7.
But it’s a real and growing concern. A study, conducted by Tripwire last year, reported that energy companies are witnessing significantly more intelligent and complex attacks that attempt to take control of Industrial Control Systems. Other findings, which cover the sentiments of US-based IT professionals in the energy, utilities, and oil & gas industries, showed that 77 percent of those surveyed said that they’d experienced a rise in ‘successful’ cyber attacks over the previous year (in the oil and gas sector alone there were an average of 96 incidences over a 12 month period); and a further 68 percent of the respondents said that the rate of successful cyber attacks had increased by more than 20 percent in just one month.
Elsewhere, in a ‘High Performance Security 2016 Report’, Accenture found that 60 percent of the energy leaders that it surveyed said that they don’t quite understand the timing or impact of cyberattacks. In fact, while about a fifth of cyber attacks do come from hackers, the more likely culprits are to be found within personnel at the company itself, be it with malicious intent or purely by accident.
Email has also been identified as a high risk factor as it can escort threats into an inbox which, if activated, can go on to cause havoc on a system. For example, once it’s tricked its way in, a virus like ransomware will go looking for other vulnerable points (connected computers and machines) through which to start encrypting data until the owning organization pays up, literally creating a ransom scenario. The effects of a ransomware attack recently targetted several UK National Health Service centres (May 2017), The virus, called WannaCry, infiltrated the network and stopped doctors being able to access patient files, and cancelled operations. The consequences of such a hit in the industrial power sector could be disastrous to the vital services which we rely on.
The Most Vulnerable Areas
Interestingly, more findings reveal that a mere quarter of oil and gas companies questioned were confident of their capabilities in cyber attack scenarios. There also seems to be less confidence in the abilities (or should that be, priorities) of the industry’s counterparts to measure the impact of breaches and the frequency at which they occur. And, with the rise of the Industrial Internet of Things (IIoT), there’s a pressing requirement to fill cybersecurity gaps in end point / network security, too.
Security, however, doesn’t end at the edge of the corporate network. It has to cover both operational technology (OT) and back office systems right across the energy value chain. Jim Guinn, managing director of Accenture’s security practice for resources industries, said that: “protecting core operations requires better investments in cyber defense including network analytics, cyber incident management programs that include both OT and IT networks, and ongoing testing to help identify any gaps.”
Embedding Cyber Responsibility
Each party involved – from production to consumption – needs to prioritize cyber responsibility at the top of their security agenda. Further, the wider cyber security focus should be a shared mission across all parts of the energy chain – not just amongst the industrial power producers themselves. At a recent executive meeting, addressing global power issues, the following were proposed as the most effective tools for responding to cyber attacks: internal cross-functional teams, standard operating procedures, established technologies, and better communications plans.
Educating personnel also needs constant updating, as all too often it’s human error that ushers a virus into the network that can then cost millions of dollars in downtime, fines, loss of lives at a power plant or from the knock on effects of a power outage … it’s never a good list. In some instances, virus detection can take up to weeks or months, leaving a silent wrecking ball to continue on its way causing damage around a network.
So, alongside implementing security measures, it is equally important to gain clarity on: who owns which part, who’s responsible for the data running through it, as well as shaking hands on security standards and regulations – globally.
— By Rachael Corry, Energy writer