As new cyber threats evolve and increase for energy networks, Alex Campbell explains why taking preventative measures no longer constitutes a reasonable cybersecurity strategy for network operators.
The G7 Energy Ministers’ recent announcement stating their commitment to addressing growing cyber threats is the latest in a series of movements across and beyond industry to protect critical infrastructure, data and people.
The most memorable cyber-attacks in recent years have targeted personal data sources, but all that changed in December 2015. The first recorded power outage caused directly by a cyber-attack struck the Ukraine. This disruption showed energy networks, governments and the general public the vulnerabilities involved and the impact attacks can have on the physical world.
Regulation around the world
Government and institutions around the world are reacting to growing threats by drafting new regulation and promoting a range of collaboration initiatives between the public and private sector. In the EU, for example, the first EU-wide legislation on cybersecurity was agreed upon following negotiations between the European Parliament, the European Council and the European Commission.
The Network and Information Security Directive (NISD) will come into force in 2016. It will impose new rules on Member States including the designation of national competent authorities to handle and respond to cyber risks and incidents and the creation of cooperation mechanisms among Member States and the European Commission to share early warning on risks. It will also obligate operators of critical infrastructure to adopt risk management practices and report major security incidents on their core services. This will have profound implications on organizations operating critical infrastructure, especially the energy transmission and distribution network operators.
The growing attack surface
Many of the details surrounding the Ukraine attack still remain unclear. What we do know is that the attackers used BlackEnergy malware in what appears to be a well-planned and highly sophisticated attack. The origins of the attack, however, are less important than the realization that more attacks will inevitably follow on energy networks as critical systems become increasingly connected to traditional IT networks.
While the convergence of information technology (IT) and operational technology (OT) introduces significant benefits for power companies, it also increases their “attack surface”.
Prevention is no longer enough
Across the energy networks organisations, the prevailing mindset among companies is that they can prevent security breaches. That’s translated into big focus on preventive controls like firewalls, access management, and antivirus systems. Although still necessary, these controls are no longer adequate to protect against determined and sophisticated attackers.
For advanced cyber threats, more emphasis must be placed on monitoring capabilities to enable early identification of a cyber breach and incident management to contain the impact through a well-rehearsed and companywide breach response process.
Resilience in practice
Last month, the G7 Energy Ministers released a joint statement that announced their commitment to “advancing resilient energy systems including electricity, gas and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions.”
Resilient energy systems are those that know exactly what to do if an attack takes place. It’s about being ready to set in motion the appropriate handling mechanisms for a breach involving all stakeholders including customers, employees, vendors, PR, regulators — to name a few.
To increase the effectiveness of cybersecurity programs, organisations need to first understand what assets they are trying to protect and how attacks can play out within their environment. This will help them build an “Active Defense” that extends the traditional security operations capability by proactively searching for cyber threats before these materialize.
These measures sound good in theory but in reality the industry has a long way to go. EY’s Global Information Security Survey revealed that 19% of the responding power and utilities companies do not have a security strategy in place. In today’s technology-driven world, that figure is hard to believe.
Part of the challenge is that cybersecurity efforts come with a big price tag but little “obvious” ROI. Cybersecurity isn’t easily quantified and, as a result, many organisations will only consider investing in this area following a large breach or if mandated.
The upcoming EU legislation may prove to be a turning point as it will force energy transmission and distribution companies to develop and execute cybersecurity programs to protect critical systems and assets. We’ve seen this play out over the last few years in the US with the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection).
Ultimately, for energy companies, cybersecurity may prove to be the key to unlocking innovation and expansion. By adopting a tailored and risk-centric approach to cybersecurity, these organizations can refocus on the vast opportunities in the digital world. Alex Campbell, director, EY EMEIA Advisory Centre — Cybersecurity