As power, utility, oil and gas companies innovate by integrating advanced technology into their industry, the vulnerability to cyber attacks increases. Cyber attacks like the one that targeted the Ukraine in December of 2015 seek to disrupt the flow of energy and power to a population and can have significant health, financial and security risks.
With such an integral infrastructure in place, defense against cyber attacks is becoming highly necessary. These areas are particularly vulnerable to cyber threats.
Legacy Technology & Interoperability
The technology used by the energy sector is made to last 20-30 years and is expensive to upgrade. Legacy technology has the potential to be penetrated by malicious forces the longer it’s been around. Older technology has fewer capabilities and is more easily hacked. It is also built on top of with newer technology that has increasing interoperability, making it difficult to dismantle and start with fresh tech.
Cybersecurity Controls for the Distribution System
The sheer interconnectedness of the power and utility grid would make an attack on the distribution system effective and devastating. One compromise could have a domino effect on several aspects along the grid to destabilize resources.
Non-central sectors like distributors in the supply chain tend to be easier targets for cyber attacks since they usually have less secure networks. That means that an attacker could hinder essential controls to a power plant without needing to infiltrate a more secure location.
Utility Dive identifies information sharing between public and private sectors as a critical capability gap that utilities must identify and implement. Failure to communicate threats and attacks as well as ways to prevent them encourages ignorance.
Even though technologies and innovations are rapidly increasing, education and awareness are still lax when it comes to preventing cyber attacks. Lack of awareness could put an employee in the position to unwittingly create a vulnerable situation. Experts can be sure that attackers will understand all the ways they can penetrate the system—the people working with the system must keep up as well.
Risk Management & Impact Analysis
If cybersecurity threats and risks are not analyzed by risk assessments, there is no way to manage those risks. Four of ten respondents to an Accenture survey claimed cybersecurity risks were not or only minimally analyzed in their risk management processes, indicating that utilities are not prepared for those kinds of threats.
Numbers are important in the fight against cybersecurity, and there is a talent shortage. According to PwC, the cybersecurity talent gap will grow to 1.5 million job openings by 2019. The energy sector must work to fill this gap with the knowledge, resources and capabilities to defend itself.
Security Requirements Not Followed
Kaspersky’s report addresses several flaws in the security of the national electrical power infrastructure, especially ones that could easily be rectified with proper policies and actions in place. Improper or nonexistent password protection and user control policies make for a weak resistance against hackers. Policies meant to be more convenient for employees like remote access are lacking in security measures and create circumstances for cyber attackers to take advantage of.
Lack of Identification
Kaspersky also points out that many power facilities are lacking or have weak identity verification policies in place to prevent insecure data access that could enable attackers to implant malicious code.
With multiple areas of vulnerability in the power sector, organizations in this industry must take a measured and targeted approach to protecting and reacting to cyber crime. The following tactics may help address weak spots in cyber defense.
Share Cyber Threat Data
26 companies currently participate in sharing data about cyber threats. They installed information-sharing devices (ISDs) just outside their firewalls that transpond data about threats to CRISP Analysis Center so that it can respond with alerts and mitigation instructions to address a compromise.
Partner with Other Industries
Similarly, industries can work together for an efficient and cost-effective strategy against cyber threats. Collaborating utilities work in groups that help identify and defend against threats by pooling resources and information.
Conduct Risk Assessment
Security should be viewed as risk management, posits IBM in their whitepaper. Even utilities are subject to risk assessments to better understand the severity of the threats they face and how to minimize them. Risk assessments are essential to identifying goals and actions to reduce attacks and help utilities make better decisions with cybersecurity in mind. Looking specifically at older technology and the workforce’s awareness of the issues are especially helpful.
Create a Proactive Cybersecurity Strategy
Being proactive in cybersecurity is the best way to defend against cyber attacks. By keeping up with the latest advances, utilities can be prepared to face new kinds of threats with evolving technology. Constant and continuous monitoring and responding to threats are detrimental to ensuring utilities are not compromised. Federal government has been working to create policies that promote safety and security in the utility sector and works closely with the industry to protect it and make plans in case of a breach.
The top priority for utilities should be creating a culture that enforces cybersecurity. Utilities can do this by enforcing cybersecurity policies as much as other top-priority policies such as ethics and safety. A culture of awareness prevents cyber attacks that rely on the fallacies of people, like phishing and other social engineering attacks, and encourages better security practices as a whole.