Igniting cybersecurity in the energy sector
By Simon Mouat, Vice President of Energy, Schneider Electric
Tuesday, 20 September, 2016
With the Prime Minister recently announcing the appointment of Australia’s first ever Cybersecurity Minister, it’s no secret that cybersecurity is high on the national agenda. Indeed, the Turnbull government’s Cyber Security Defence Strategy is a solid step in the right direction — and is further evidence that action on cybercrime is more important than ever. The strategy incorporates more than $230 million to fund initiatives such as a Cyber Security Growth Centre, including looking at the implications of cybersecurity in relation to Australia’s critical infrastructure.
In recent years we’ve witnessed a significant shift towards the integration of open communication platforms, such as Ethernet and Transmission Control Protocol (TP)/IP, across a range of industries, including mining and manufacturing, utilities, electricity and water management. This means that our critical industries are more open and connected than ever before.
Of these industries, the energy sector is at particular risk. Research from Ponemon Institute shows cyber attacks on the energy industry account for 41% of all reported cyber attacks on the public and private sector globally. Meanwhile, attacks on government, health care and finance account for less than 4% each.
The prevalence of attacks in the energy sector can be largely associated with the increase of digitised, connected and integrated operations which have enabled power networks to become ‘smarter’. This has predominantly been supported by operational technology (OT) — hardware and software used to monitor and control plant processes, equipment and devices, with the primary purpose of making things work. By harnessing connectivity in this way, energy businesses have been able to improve uptime and enhance productivity. However, while integrating technology brings many business benefits, the reality is the more connected these enterprises become, the more open they are to cybersecurity breaches.
In this new era of operations, industrial equipment that may have once functioned in silo is now part of a complex network that is only as strong as its weakest point. Consider, for example, the impact of a substation malfunction that cuts off electricity to an isolated town; the fault may be minor but can affect hundreds, thousands, even millions.
The potential costs of having vulnerable technology targeted can vary from significant to astronomical, especially considering large-scale operations such as those in the utilities industry. Just a few months ago, hackers in Ukraine remotely installed malware and switched breakers that were part of an electrical grid. The interference caused a blackout, cutting power to more than 225,000 people, and was the first known successful cyber intrusion of its kind to completely knock a power grid offline. Although it was the first known such attack, it isn’t the only one, and it certainly won’t be the last. These sorts of attacks are not uncommon, we simply just don’t hear about them; unless, of course, they cause significant damage.
In light of this, cybersecurity should be a part of a utility’s bread-and-butter business strategy. Organisations wanting to adequately safeguard themselves from such calamity must act on the threat of cyber attack prior to implementing new technology, not after.
The good news is that many in the industry have realised the severe damage an attack of this kind could yield and utilities are taking steps to secure their systems to mitigate the threat of cyber attack. In doing so, many often look towards the more mature cybersecurity industry in the IT world for advice. The trouble with this is that the IT approach to cybersecurity is incompatible with the principles and priorities of facility operations. Unlike IT, when it comes to protecting the OT, it’s continued operation that’s most crucial, not information. These fundamental differences in approach mean that cybersecurity solutions and expertise strictly geared towards the IT world are often inappropriate for OT applications.
To overcome this, protecting against cyber threats in the OT environment requires greater cross-domain activity where engineers, IT managers and security managers are required to share their expertise to identify the potential issues and attacks affecting their systems. With the realms of IT and OT converging, smarter and stronger solutions are fast becoming a reality.
But with this said, mitigating risk and anticipating vulnerabilities to attacks on utility grids and systems is not just about installing technology. Utilities must also implement organisational processes that include regular assessment and continuous improvement of their cybersecurity and physical security processes. Furthermore, as utilities experience the convergence of IT and OT, it becomes necessary to develop cross-functional teams to address the unique challenges of securing technology that spans both worlds.
Unfortunately, there is no single standard that defines a ‘good’ level of security — it’s not a matter of having ‘achieved’ a cybersecure state. The key to optimising cybersecurity in the OT context is to have processes and technology in place that align best with the specific functions and features that underpin the infrastructure, because without pivotal OT operation, business cannot function.
As the energy sector becomes increasingly hyperconnected, the need to be cybersecure will only continue to mount. In today’s digitised, technology-driven economic landscape, hacking one piece of industrial equipment can now be the same as attacking a million. This is a very real threat that organisations, along with the Australian Government, must begin to face. And with a high degree of risk involved, it’s crucial to act now, or risk being left behind.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.