Cyber in the Energy Industry — It’s Time to Think Differently!
We are all experiencing the impact of the fourth industrial revolution. Name any tech
buzzword – be it artificial intelligence, big data or IoT – and you will see a ripple effect
on different industries, opening up new opportunities, rethinking new business
models, but also increasing security risks. Like many other sectors, these risks are
coming to the energy industry. Clearly, the internet led revolution promises
tremendous benefits to the energy industry, but it also requires taking precautions.
by Gianluigi Di Giovanni
Although there has been a growing awareness of the importance of cyber security, the seriousness of the threat was thrust into the energy industry spotlight with WannaCry attacks, targeting a power distribution company in India, and in 2015 with cyber attacks in Western Ukraine – leaving 225,000 homes without power for several hours. For five hours, the operator didn’t know he was experiencing a cyber attack. Most recently, hackers have infiltrated the critical safety systems for industrial control units used in nuclear, oil and gas plants. Using a sophisticated malware, dubbed “Triton”, hackers managed to halt operations at at least one facility. This marked the first reported breach of a safety system at an industrial plant by hackers. Here are some of the risks a company may face in the case of a successful attack:
- HSE risks
- Equipment damage
- Theft of classified information
- Plant shutdown
But What Makes a System Vulnerable to a Cyber Attack?
I believe that the increased competitiveness of the energy industry, has led different bad actors to target the industry. As the utilities and oil and gas sectors become increasingly digital – in order to achieve revenue and efficiency gains – there is a corresponding need to identify cyber threats at earliest stages. Organizations in these sectors must defend their entire digital footprint against persistent and highly sophisticated cyber threats without disrupting business process.
A growing concern is that hackers are increasingly targeting operational technology (OT), essential for availability, production and safety of critical infrastructure. Attacks against OT have ballooned from 5% to 30% in just a few years. Energy companies make up the lion’s share of these attacks. To protect the operating environment from the rising cyber threat, companies must think and act strategically. Energy companies must ask not “if” their asset will be attacked, but how to be prepared against the increasing attacks and how to quickly respond to minimize damage. Their approach should be proactive, aiming to educate and train people to learn to identify potential risks. Secondly, companies need to leverage the technologies and processes in place. Only with the optimal alignment between these three aspects, the risk of cyber attacks can be minimized.
The Benefits are Great – Security Must Keep Pace!
I often say that the relationship between connectivity and security is not always well-understood. Companies often believe that isolating their systems reduces their vulnerability. But this ignores the origin of many cyber threats. Studies show that the majority of industrial cyber attacks come from inside. In these circumstances, isolating systems doesn’t necessarily equal greater security. Indeed, connectivity can provide the transparency required to detect attacks and quickly take action.
In simple terms imagine it like this: You cannot secure what you can not see! That is why accurate, up-to-date visibility of system inventory is a fundamental element of any cyber security solution.
Clearly, cyber security is not just about reacting to isolated incidents. When business continuity is critical, such as with power and electricity supply or oil & gas, it is just as critical to protect against the persistent threat of cyber attacks. Unfortunately, technology will not solve the problem on its own. A holistic approach designs the right kind of strategy that technology supports.
When building a cyber security strategy, the first step you have to take is to assess where your organization stands on the maturity curve. Companies can then look at how to begin monitoring and detection – smartly, aligned with the business objectives and priorities. Network segmentation, identity and access management, and two factor authentication are among the basic requirements for every industrial company.
At Siemens, we know this from experience. We know that by combining asset-level data with network-level data means that our customers can gain deep insights into the behavior of their assets across the value chain in order to quickly detect and stop attacks from happening.
We also understand the importance of contributing to the broader cyber security community by sharing experiences. That’s why we were excited to partner with PAS Gobal, the leading provider of industrial control system cyber security solutions, to provide fleet-wide, real time monitoring for control systems to detect and respond effectively to attacks across the OT. Another important collaboration is Siemens teaming up with Darktrace, a leading machine learning company for cyber security, to detect and remediate in-progress cyber threats at their nascent stages by learning the ‘pattern of life’ for every network, device and user across both OT and IT networks.
What Does It All Mean?
In a world where you have decentralized operating systems and many third party suppliers that you rely on, the weakest link can be the cause of a major incident, exposing the entire organization to major vulnerabilities and threats.
I believe there is no silver bullet that will protect anyone from a cyber attack. Security requires developing a strategy, implementing it rigorously and continuously staying up to date on developments in digitalization and the cyber security landscape.
This article was originially published on LinkedIn by Gianluigi Di Giovanni, Senior Vice President of Siemens Power Generation Services.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.