In October 2019, the Ponemon Institute and Siemens released their joint report assessing the state of cybersecurity in the energy sector. The report, “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?,” surveyed 1,726 utility cyber professionals in an effort to assess the maturity of the industry’s cybersecurity practices and gauge the sector’s readiness to address future attacks. In describing the goals of the report, Leo Simonovich, global head of Siemen’s Industrial Cyber and Digital Security division, notes the unique challenges faced by utility companies. In particular, “digitalization,” the coupling of traditional infrastructure operational technology (machines, systems, and networks used to generate, transmit, and distribute power) with digital information technology (servers, computers, and mobile devices that enable business operations in the utility industry in office environments) brings clear benefits, but also the possibility of disproportionate risks. “Across the energy industry, many organizations share the difficult challenge of keeping ahead of attackers, while taking advantage of digitalization.” Simonovich further notes that many organizations report challenges in effectively aligning OT defenses with IT defenses. This effort is made more complicated by the fact that OT technologies are increasingly equipped with IT software.
The survey results indicate that the risk of a cyber-attack on energy companies is worsening, and readiness is “uneven and has common blind spots.” Moreover, according to the report, cyber threats now pose a greater risk to a utility organization’s OT environment than its IT environment. “Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages.” The report further concludes that while distinguishing between OT security and IT security is of vital importance to a mature cybersecurity posture, it remains a major challenge for many organizations across the industry. A leading factor contributing to this particular challenge appears to be the lack of skilled personnel. 56% of respondents report gaps in available skillset as a major impediment to achieving OT security maturity. Survey respondents also identified other challenges to OT security, including the rise of sophisticated attacks (61%), isolated and fragmented systems (55%), slow detection of security exploits and data breaches (52%), and the lack of any clear OT ownership (42%).
These challenges and associated risks take on an even more urgent tone when one considers the increase in attack frequency. 56% of respondents report at least one attack involving the loss of private information or an outage in the OT environment within the past 12 months. Four percent report 10 or more such attacks within the past 12 months. The report theorizes that that 30% of cyber attacks on energy OT are not detected. 54% of respondents expect an attack on critical infrastructure in the next 12 months.
The report comes at a time of increased focus on utility companies and the security of the nation’s energy infrastructure. On November 6, 2019, the FBI’s Houston field office briefed oil and gas enterprises on cyber threats currently facing the energy sector. The classified presentation to nearly 60 people from energy companies and federal agencies included a briefing and panel discussion that focused on protecting pipelines, power lines, refineries, and other facilities from espionage, hackers, and overseas-led cyberattacks.
Utility and energy companies for their part remain vigilant in not only identifying risks but meeting them as well. In early November 2019, more than 6,500 government officials and many of the biggest players in the energy sector came together to conduct a simulated cyber-attack on the electrical grid. The event, called GridEx, takes place every other year and posits a scenario that imagines the U.S.’s power grid under cyber-attack. While GridEx organizers insist that such an event is unlikely, the consequences stemming from an attack on the nation’s power grid are so severe as to warrant such exercises. A so-called “black swan event” would have devastating ripple effects that go far beyond the inconveniences of homes without heat or consumers without smartphones. It could also foreseeably bring down large portions of the telecommunications, media, and finance sectors. Though such events may seem unlikely, they are not unprecedented. In 2015 and 2017, intelligence experts concluded that cyberattacks orchestrated by Russia were responsible for periodic power outages in Ukraine. Likewise, Stuxnet, the infamous malicious computer worm uncovered in 2010, crippled Iran’s nuclear program.
The energy footprint in the United States is vast and fragmented, all with various owners and operators currently co-exist in the U.S. Moreover, grid governance does not end at America’s border. The U.S. power grid interconnects with Canada’s grid, which only creates an additional challenge to an already complex system. Sufficiently protecting this spider web of energy will continue to be a top priority and a top challenge for those in the industry and the government agencies supporting and regulating them.