Utilities have seen breakneck change over the past decade. The twin revolutions of digitization and the transition toward greener energy sources have made electricity generation more efficient, cleaner, and deeply dependent on digital management. Looking ahead, artificial intelligence promises another wave of innovation with operational advantages. Yet the exponential growth in the number of digitally networked new and legacy assets comes with a well-known dark side: unwelcome attention from a cyber attackers up to and including nation-states. With sophisticated cyber threats now a permanent feature of the energy landscape, the design and engineering of every system should include security by design.
Cyber threats should inform energy system design choices in the same way that engineers account for friction. Done right, cybersecurity can be more than an exercise in minimizing costs. Managing cyber risk can unlock competitive advantages in the form of better reliability and higher trust from consumers, investors, and business partners.
Cyber threats reach the heart of every utility's profit engine -- its operational technologies, or OT. Even legacy systems have been retrofitted to include digital management. Air gaps, once an industry standard, are largely a thing of the past.
OT cybersecurity is still relatively new. Many companies digitized OT systems rapidly, or acquired new assets through mergers and acquisitions. CISOs across the energy sector report that even maintaining an accurate inventory of legitimate devices connected to internal networks is a challenge, and that their budgets have not expanded to match the scope and scale of responsibility for both IT and OT security. As practitioners quickly learn, OT and IT cybersecurity are distinct skills, requiring different methods and knowledge bases.
Tackling the challenge of OT cyber does call for actions shared in common with IT. Cyber hygiene must be part of company-wide culture, and calls for frequent refreshment. Governance matters -- it is not unheard of for IT and OT teams to each believe responsibility for OT cybersecurity belongs to the other department. As with IT, information sharing across the industry offers defenders the advantage of learning how to close vulnerabilities and defend against attacks elsewhere. Getting beyond these basics, IT and OT security diverge considerably.
Attacks against OT have dramatically different signatures than attacks on IT. For example, in OT, legitimate commands can be assembled in ways that damage physical hardware without ever increasing network traffic. Differentiating between normal activities and malicious actions calls for understanding context across digital and physical systems.
Practioners and regulators have converged on monitoring and detection as the essential cybersecurity capability for digital utilities. By constantly monitoring the physical state of OT assets, analysts and automated systems can discern which commands are likely to put physical systems beyond their safe operating parameters. When attacks are detected in OT or IT, analysts can identify the source of the attack, and quickly trace which systems were affected -- important both to determining whether it is safe to continue operations, and to limiting the scope of any production halts needed for recovery. Systems built with security in mind should include monitoring and detection. Â
As the global head of cyber and digital security at Siemens Energy, a large share of my job has been to work out how to build monitoring and detection into our industrial control systems for our customers -- and how to offer OT monitoring and detection for existing energy systems. In my experience retrofits are more complex, requiring a layer that integrates several machine languages never designed to work together into a unified data stream for automated or human analysis. That's understandable for assets originally designed and build in the 1980's, but unconscionable for systems built today, when we can and should build with the expectation that every device will integrate with monitoring and detection for cybersecurity purposes. Increasingly, utilities have the option to move OT security to the cloud, relieving security teams of the need to maintain and secure on-site servers. AI and machine learning solutions are maturing, and for the first time offer the possibility of affordable, truly comprehensive real-time monitoring and detection at scale.
Recent advancements in AI will escalate some forms of cyber threat -- for example, making it easier for people with no OT experience and little industry knowledge to craft credible phishing attacks or discover how to generate unstable grid conditions. Defenders looking to head off such attacks would do well to focus on identity. Suppliers, contractors and other third parties should be held to the same identity standards as insiders. The principle of least access should apply not just to human user accounts, but also to devices. Instead of checking identity once, at login, identity should be continuously monitored for changes in behavior. The classic example is a supervisory account uncharacteristically logging in at 3AM, but just as concerning would be a networked device whose workflow abruptly changes from communicating with two devices to communicating with twenty. In both cases, the unusual activity may signal a previously trusted account or device has been compromised.
For many utilities, it will make sense to manage OT security and identity as a service through trusted security platforms. Small and mid-sized organizations that struggle to develop and deploy security solutions in-house can likewise find it challenging to navigate the plethora of solutions, services, and accompanying third-party risks. Establishing a relationship with a single point of contact that provides the expertise needed to identify and prioritize vulnerabilities, then identify and deploy the appropriate solutions can help simplify decisions. Done right, this approach enables utilities with relatively small budgets to access the kinds of cutting edge research, development, and best practices seen at the largest energy companies.
Recognizing that there is market demand for a trusted guide in the OT cybersecurity space, Siemens Energy has moved to meet the need. We are working with clients to understand the specific needs of their unique worksites, and the common pain points shared across industry -- for example, recognizing that maintaining accurate asset inventory is a key challenge, we developed methods that automate system architecture mapping. At the same time, we leverage our OT knowledge base to evaluate innovative third-party solutions and develop partnerships with companies like Tenable, SparkCognition, and Amazon Web Services to offer and integrate best-in-class solutions. We ensure these solutions are vendor-agnostic, meaning they will help defend OT equipment from any manufacturer, and we help clients minimize disruptions to production when deploying or updating their security solutions.
We firmly believe that by enabling small and medium-sized organizations to easily access world-class cybersecurity, we help harden weak links in the energy value chain, making a more reliable, stable energy ecosystem. It's how we will help secure the future of the energy economy -- through the energy transition, the digital revolution, the age of AI, and beyond.