One of the most frequently asked questions is: “why has cybersecurity become such a focus area for companies in the Energy Sector?” This is generally followed with a rather long, mostly boring, history lesson on successful cybersecurity incidents impacting Operational Technology (OT) systems dating back to the Stuxnet case. However, very few business leaders understand the reasons why cyber-attacks has not only increased in frequency but also in severity and sophistication.
During the last decade the Energy Sector has seen a rise in the adoption of digital technologies to realize opportunities like remote control; real-time monitoring; enhanced predictive maintenance; improved operational efficiency and productivity; and faster decision-making processes. This increased connectivity and interoperability drives the convergence of Information Technology (IT) and OT environments.
The transition towards clean energy generation is reliant on adding distributed energy resources to the traditional grid enabled by disruptive and emerging technologies. The one component that forms the foundation of all four (4) of these aspects is the rising focus on the collection and usage of large volumes of data.
These five (5) businesses ambitions have created a perfect ‘playground’ for threat actors, regardless of their motivation, due to more potential entry points from more connected systems; increased vulnerabilities to exploit; and resulting in more severe consequences. Couple that with data being seen as ‘the new oil’ it creates the perfect incentive for threat actors to target the Energy Sector.
Rising digital adoption, converging IT and OT environments and growing focus on clean energy technologies are amplifying the need for cybersecurity. However, cybersecurity risks are magnified by universal issues that are not technical in nature but dependent on factors like corporate culture and governance. These include:
- Low priority on cyber issues in OT operations and inadequate resource allocation for OT cybersecurity.
- Absence of prioritization of OT cybersecurity risks; risk mitigation plans; and unclear ownership.
- Poor asset visibility and the rapid introduction of new devices/systems.
- Complete lack of focus on supply chain and third-party risk.
Regardless of sector, size and/or geographical location all organizations struggle with these four (4) challenges and without addressing them no OT environment will ever be truly resilient from cyber threats.
The World Economic Forum (WEF) has released a white paper on the key principles on how to improve resilience within any OT environment[1]. These principles are:
Principle 1: Perform comprehensive risk management of the OT environment
It is key to identify; classify and record all your devices within your OT environment based on criticality and connectivity. Then identify the vulnerabilities and threats starting with the devices that are classified as the most critical and develop risk mitigation plans to be implemented and monitored.
Principle 2: Ensure OT engineers and operators of installations have responsibility for OT cybersecurity
Cybersecurity is NOT JUST an IT issue, and this is a reality all OT engineers and operators must accept. The key is to develop a collaborative ecosystem between OT engineers, operators, IT and Original Equipment Manufacturers (OEM) with clearly defined roles and responsibilities and associated training courses.
Principle 3: Align with top organizational leadership, strategic planning teams and third parties to make security-by-design a reality
Security-by-design is a process materialized through an effective change management program. It must be defined and embedded into the asset managed lifecycle with clear assurance checkpoints and technical cybersecurity testing.
Principle 4: Make cybersecurity standards and best practices contractually enforceable on partners and vendors to build a cybersecure OT environment
Reliance on third parties will continue to increase and it is imperative to develop and enforce robust cybersecurity requirements contractually with all third parties. Third Parties must be held accountable to meet these contractual requirements through periodic audits and consequence management practices, e.g., commercial penalties, contractual exit strategies, etc.
Principle 5: Run joint tabletop exercises to ensure preparedness in case of an actual incident
No amount of investment in digital defenses can full protect connected systems from cyber threats especially as the root cause 95% of all cybersecurity incidents are human error. Therefore, develop and practice a cyber incident response plan through tabletop exercises that includes representatives from OT engineering.
By overcoming the four (4) mentioned challenges through the application of the five (5) principles, organizations will maintain resilient OT environments that will form the foundation for introducing innovative and emerging technologies into a converge technical landscape where we can all contribute to building a better, and sustainable, working world.