Five-Pronged Strategy for More Holistic Security in Energy & Utilities

The increasing attacks and vulnerabilities in the world’s critical infrastructure call for action now, or the disaster of disruption of the energy supply is inevitable. For the oil and gas and utility industries, this is a critical issue that needs more attention, investments and new holistic security services, presenting tremendous opportunities for service providers and the wider security ecosystem to come together with the industries and build comprehensive capabilities using leading-edge innovations to withstand the attacks on our critical infrastructure.

The recent devastating hurricanes – Harvey, Irma, and Maria – that hit the Caribbean and United States have once again proven the critical importance of our energy supply infrastructure. Since natural disasters such as hurricanes are an imminent threat to the stability of the grid, generation infrastructure, and critical fuel pipelines, the safety and security of our larger energy ecosystem faces another threat – cyberattacks aimed at critical infrastructure. Consider the following examples:

• The U.S. Department of Energy[i] (DOE) reported half a million cyber intrusions into various parts of the United States electrical grid in 2016.
• In December 2015, the electricity supply in Ukraine was disrupted by one of the first known successful cyber attacks on energy infrastructure. Hackers managed to compromise information systems of three distribution companies and switch off substations, leading to disruption of supply to 230,000 residents. In 2016, the power grid was again subject to an attack – this time on a transmission facility.
• 29%[ii] of companies in the energy sector in the Netherlands experienced cyberattacks and failures of IT systems due to external attacks, leading all industries.
• The United Kingdom’s intelligence and security agency, GCHQ, raised awareness about the vulnerabilities of the UK’s energy sector and the likelihood that nation-state hackers have compromised it. “NCSC believes that due to the use of widespread targeting by the attacker, several industrial control system engineering and services organizations are likely to have been compromised,” reported a GCHQ subsidiary called National Cybersecurity Centre[iii].
• The former chief executive of UK’s National Grid, Steve Holliday, earlier mentioned the tremendous concerns about the threat of cyber attacks on power stations and electricity grids[iv], citing “the trend away from well-protected, centralized large power stations and towards decentralized power, such as lots of small, flexible gas power plants and solar panels on homes” as a source exacerbating the threats, as well as the growing number of connected devices in energy technology.
• Energy companies are targets for corporate – and government-backed hackers[v]. Iranian hackers attacked energy and financial companies following sanctions against Iran’s energy and financial industry in 2013. Russia is suspected to be behind the Ukraine cyberattacks and the intrusion of power plants and a nuclear plant in the United States in 2017[vi].

The costs of disruptions due to cyberattacks are rising as are the costs of repairing the disruption and implementing additional measures to shore up cybersecurity. Disruptions also lead to loss of turnover, failure of systems, loss of data, corruption of data, or data theft.

Despite the high level of threats, security remains an underinvested area

There are tremendous vulnerabilities in our energy systems. Behavioral models, advanced analytics, automated responses, and machine learning are key components of modern security measures designed to operate in a heightened threat environment. Security is recognized as a priority across the industry, but remains an area of concern and needs continued investment from oil and gas companies, utilities and energy, and utility operations service providers.

Two findings from a 2016 HfS study of cybersecurity underscore this point. Exhibit 1 shows that in the resources industries, including oil and gas and utilities, the biggest inhibitors to security provisions are limited support from the corporate/executive level and a lack of security budget.

Exhibit 1: Biggest inhibitors to security provisions in energy and utilities

Source: “State of Cyber Security 2016”, HfS Research n=30 Enterprise Security Office

When we drilled down further, only 30% of resources enterprises seem to have enough budget for security technology and talent (See Exhibit 2).   

Exhibit 2: Cybersecurity funding – Resources industries report inadequate security funding, talent, and training

Source: “State of Cybersecurity 2016”, HfS Research n=30 Enterprise Security Office

The path forward to try to avoid disaster from happening in the energy industry

We have identified a five-pronged approach that energy and utilities need to safeguard their infrastructure from security breaches:

1. Develop a holistic security strategy. A comprehensive view and approach to security is needed instead of viewing individual cybersecurity issues. Several factors are amplifying security risks and increasing the attack surface. New attack vectors emerge through the increasing interconnectedness of energy systems, Internet of Things, connected devices, distributed assets, and fragmentation of infrastructure (there are multiple grids in any country). Further, as the worlds of information technology and operational technology continue to converge (IT/OT integration), the need for cybersecurity and physical security to come together is unequivocal. We’ve seen videos[vii] of how a red team hired to test the security of a utility breached the physical and cyber security systems to gain access to the network and turn the lights out, showing the vulnerabilities and lack of detection capabilities.
2. Break down IT and operations silos. Cybersecurity is a topic currently sitting within IT-siloed and tucked away. Traditionally, IT and operations were two distinct and separate worlds that rarely interacted, but now everything has a sensor and is connected to the Internet of Things. The lines are blurring and threats are coming from all sides. People attack physical infrastructure before commencing a cyberattack (see the video on a substation mentioned earlier). The concept of holistic security must be elevated to the Board.
3. Leverage a partner ecosystem. The 2016 cyber security study by HfS Research shows that the resources industries are lagging in detection of threats as compared to most other industries (See Exhibit 3). Although identified as a top priority, many utility and oil and gas executives point to their reliance on partners in tackling cybersecurity threats. The threats are too complex and change too rapidly to be dealt with effectively by internal security officials alone.

Exhibit 3: Resources industries are less capable to detect cybersecurity incidents in real time or predictive than other industries

Source: “State of Cyber Security 2016”, HfS Research n=208 Enterprise Security Office

4. Move to the cloud. Notwithstanding regulatory requirements and hurdles (which regulators should look at and modernize their policies as soon as possible), move to the cloud as quickly as possible. The cloud is more secure than on-premises applications. The myth of owning infrastructure because it is more secure has been debunked and cloud providers are superiorly equipped to deal with cyberthreats. Leverage a partner ecosystem.

5. Leverage emerging technologies. Industry actors should set up Centers of Excellence and critical infrastructure security centers in which they leverage all the new technologies that are out there in a holistic security strategy. For instance:

– Behavioral tracking/pattern recognition. At a critical site, cameras track field workers’ movements, looking for anomalies in behavior. This is an example of using digital technologies, artificial intelligence (AI), and analytics to improve physical security.

– Drones are used to inspect remote locations, pipelines, and transmission and distribution lines, often situated in remote and harsh environments. The drones record and analyze the situation on the fly, using advanced analytics, machine learning based pattern recognition software, augmented reality, and mixed reality.

– Augmented and/or Mixed Reality is also used effectively to provide security for people on the ground to detect threats in the physical environment.

Bottom-line: A concerted effort is needed to resist the monster in the dark

The increasing attacks and vulnerabilities in the world’s critical infrastructure call for action now, or the disaster of energy supply disruption is inevitable. For the oil and gas and utility industries, this is a critical issue that needs more attention, investments, and new holistic security services. It presents tremendous opportunities for service providers and the wider security ecosystem to collaborate with the industries and build comprehensive capabilities using leading-edge innovations to withstand attacks on critical infrastructure.

References

1. https://www.vanityfair.com/news/2017/07/department-of-energy-risks-michael-lewis
2. https://www.cbs.nl/en-gb/news/2017/39/one-in-five-businesses-fall-victim-to-cybercrime
3. https://www.theguardian.com/technology/2017/jul/18/energy-sector-compromised-state-hackers-leaked-gchq-memo-uk-national-cybersecurity-centre
4. https://www.theguardian.com/technology/2017/jun/25/uk-electricity-grid-cyber-attack-risk-energy-industry
5. https://www.nbcnews.com/news/us-news/feds-suspect-russians-behind-cyber-attacks-power-plants-n780701
6. https://www.businessinsider.nl/nuclear-power-plant-breached-cyberattack-2017-6/?international=true&r=US
7. https://www.youtube.com/watch?v=pL9q2lOZ1Fw