Delivering energy has centered on the fundamental tenant of being reliably available. As energy providers strive to maintain that availability, they all too often push security to the backburner. Many unsafe practices have fallen into place for the sake of speed and efficiency, including the use of default and shared passwords, open access, and little oversight. Many systems have been put into production and stayed in place well beyond the vendor’s intended support lifecycles. This situation has resulted in systems that are end-of-life, no longer receiving patches or updates despite known security flaws. Unfortunately, many organizations have also built security around the assumption of air-gapped networks, which is proving to be insufficient as more and more devices become interconnected.
Today’s energy industry has undergone rapid digitalization, presenting attackers with new attack surfaces to exploit. The emergence of smart grids and smart devices have made the sector an attractive target. And yes, cybercriminals have taken notice. The World Energy Council notes in its latest World Energy Congress report that there has been a “massive” increase in the number of successful cyberattacks in recent years, and the organization fears that those in the industry may be unprepared to deal with new and emerging threats.
This state of affairs has not gone unnoticed by the United States government. In 2017, President Trump issued an executive order demanding stronger cybersecurity of critical infrastructure. In response, the Department of Energy released a five-year strategy to more-effectively combat the risk of power disruptions caused by cyberattacks, focusing on threat-sharing, supply chain risks, and research and development of more resilient energy systems. Organizations, such as the National Institute of Standards and Technology (NIST), have also released updates to and new drafts of their security frameworks to provide guidance on securing energy environments and for adding better in-network threat detection with security controls based on deception.
The world has already seen the potential fallout that cyberattacks on the energy sector could cause. It has also seen the rise of some “alarmingly simple” security exploits, like the one that disrupted California energy operations in March. Each incident serves as a warning sign that the industry needs stronger, more-reliable protections.
While it is heartening that the government has made cybersecurity in the energy sector a priority, it goes without saying that organizations should only rely on compliance as a baseline standard. There are several steps that defenders can take to reduce risk and better protect their assets. Some may be viewed as basic hygiene, while others will be driven out of necessity, enabling organizations to detect and identify sophisticated attackers with the desire to endanger human safety, service reliability, or economic stability.
NIST and other security frameworks follow a fundamental structure of “identify, protect, detect, respond, and recover.” The section below covers related activities and some of the solutions being put into place to address cyber risk.
Activity: Develop a better understanding of how to manage risks associated with the systems, data, and capabilities that the organization’s critical infrastructure include.
Action: Identify the systems, devices, users, data, and facilities that support daily business processes, and appropriately prioritize them. Ensure that the organization’s business environment and governance align with essential security goals, and employ effective risk assessment tools and risk management strategies.