Modern energy and utility companies are becoming vulnerable in ways they are
not familiar with: via cyber-attacks. A Symantec report in January said that in
the first half of 2013, energy was the fifth most targeted sector worldwide. It
experienced 7.6 per cent of all cyber-attacks[i]. During the same period, the
Department of Homeland Security's Industrial Control System Cyber Emergency
Response Team (ICS-CERT) said that cyber-attacks had doubled and significantly,
53% of those attacks were against the energy sector[ii].
In 2012, a large oil corporation in the Middle East found that a virus - now famously known as Shamoon -- wiped out documents, intellectual property and business data from a large number of corporate PCs, interrupting oil operations[iii]. The growing new threat has the potential to be more devastating than terrorist attacks as we have known them. The attacks - which could be from state-sponsored groups, criminals, competition, hactivists or just code kiddies - can help seize mission-critical OT and IT systems. The results of such security breaches can be catastrophic. They can bring down entire cities by shutting down power systems and bursting gas pipelines. They can lock trading systems and financial markets. Shut down hospitals and airports. Because of growing connectivity between industries, the effects of an attack on today's energy and utilities businesses can have a cascading effect. It is time for the industry to take a fresh look at the meaning and implications of the security threats it is vulnerable to.
In an interconnected world of smart grids, a lot can go wrong. Control rooms and power lines can be remotely hijacked, putting at risk the lives and safety of entire regions. An equally worrying risk is to data. Today's energy and utility companies have more customer data than ever before. For industrial customers, they hold data related to devices and machinery in operation, peak usage and consumption patterns. For domestic customers, they hold personal information, financial data and passwords, all of which makes it simple to impersonate customers.
The reason why the industry is not adequately prepared to address these attacks is rather simple. The industry has traditionally remained focused on building infrastructure, with very little management focus on IT and data security. With growing connectivity, this must change. Today, the industry must bring pin point focus to dealing with cyber-attacks that could affect operations, business data and intellectual property.
For an industry that has been accustomed to building dedicated infrastructure - and therefore creating a natural sense of security - things are changing. With increasing cost pressure, it is not possible to continue to retain infrastructure and data in-house. Everyone is moving towards cloud technologies with hosted infrastructure. In such an environment, how does the industry safeguard its data and applications?
The answer is a practical no-brainer: it lies in bring more science, more algorithms, more encryption and more security protocols. However, the key is to use tried, tested and proven technology to stay ahead of the growing threat. Long-time industry hands will immediately realize why this is important. The industry is, by and large, not private. So it can't go ahead and do exactly as it wants. It must be cautious, and comply with standardized regulations and mandated security processes.
In summary, it is necessary to recognize that an increasing amount of technology in the supply chain is inevitable. It is going to result in a proportionate increase in cyber risk management. The solution is in customizing risk management based on an analysis of motives behind the attacks, a thorough analysis of assets and their vulnerabilities, a backup plan (in the event of security failure) and devising risk management processes that are aligned with regulations.
[ii] Homeland Security: Hack Attempts On Energy, Manufacturing Way Up in 2013, 29 June, 2013: https://securityledger.com/2013/06/homeland-security-hack-attempts-on-energy-manufacturing-way-up-in-2013
[iii] In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, New York Times, 23 October, 2012: http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all&_r=0