By Dan Didier
Legacy systems. Complex networks. Tight budgets. These are just a few of the vulnerabilities that position the energy sector as a hot target for cyber criminals. Unlike many other industries, where financial losses are the top concern, an attack on our nation’s critical infrastructure will not only have an economic impact, but could be detrimental to the health and safety of workers and residents in nearby communities. Don’t think malicious actors aren’t paying attention - attacks on electrical and energy companies are on the rise.
From nation-states and politically motivated hackers, to script kiddies and disgruntled employees, threats are coming from an entire host of adversaries, each looking to take advantage of the industry’s pitfalls and recent shift toward digitization. Adding fuel to the fire, the energy industry has a unique set of security requirements. This leaves many energy companies struggling with a tough choice: Do they want to be compliant, or secure?
Unfortunately, most power organizations are so laser focused on compliance that they lose sight of what must be done to actually improve their security program. Why? For one, this compliance-based approach predates the modern age of cybersecurity; it’s been a part of the energy sector for so long that it’s baked into the operations. With security risks becoming greater and greater, it’s time for energy companies to make the switch from a compliance-based approach, to one that uses risk to guide their security programs.
Ideally, power companies should focus on both compliance and security, where compliance is a byproduct of the security program. There isn’t a single way of doing this, however, and it all depends upon the potential risks of each organization. Here’s a closer look at how energy companies can vastly improve their security programs, while maintaining compliance at the same time:
Expand Approach: The security issues of an organization cannot and should not be addressed only by the compliance or IT departments – nor should security be pigeonholed into any other department. If a security program is going to be successful in today’s increasingly digitized environment, it must be elevated to a business decision that includes all departments; security threats impact the entire business – not just a single department.
One problem with leaving it up to compliance is that, like all departments, the compliance department has many other issues to focus on. Plus, when security decisions are made within the bounds of existing compliance functions, it prevents the organization from making risk-based decisions, instead relegating the security function to a checkbox in a long list of checkboxes that all share the same budget. Likewise, the IT department is trained to look at cybersecurity as a technology issue when, in fact, many of a company’s top risks have nothing to do with technology, and everything to do with people and processes.
Focus on Risk: More than half of executives within the energy industry concede that they have not fully identified the risks they could be exposed to. This is alarming on all levels, because understanding an organization’s unique risks is the only way a company can begin to implement a comprehensive security plan to address those vulnerabilities. If a risk management capability is not established early on, companies will be solving the wrong problems, wasting valuable resources, and leaving critical assets under protected. On the other hand, establishing and prioritizing risk can help companies can gain much more value from their resources, all while reducing the risk to their business.
Have a Corrective Action Plan: Once priorities have been established using risk, companies should develop a corrective action plan that can be successfully carried out with the company’s available resources. This plan should clearly identify top risks, the individual (not department) responsible for the execution and planning necessary to remediate the risk, how much it will cost the organization, and a target date for remediation. Not only does the plan help provide visibility to senior leaders and the board, but it allows everyone to agree on the cost, and path to resolution.
Plan for Failure: Not all risks are known, and not all risks - known or unknown - are managed in a way that eliminates failure. Because of this eventuality, companies must have a disaster recovery plan to ensure operations continue when there is a failure. It’s a simple idea, but it escapes most people due to their complex work environments. In the energy sector especially, energy systems are becoming increasingly intertwined not only with communications and information technology, but also with the natural environments in which they serve. It doesn’t help that most of today’s technology is already confusing for many people. As human beings, we tend to respond emotionally under critical situations. On the other hand, a good disaster recovery plan will remove the confusion that arises in a crisis, and provide a process that helps to quickly identify the steps a company can take toward recovery. The plan should also provide visibility to the process at the highest levels, so the board of directors can look at it, understand it, and approve it.
As the energy sector continues to evolve toward digitization, the vulnerabilities will only increase, and the attacks will become much more sophisticated. It’s only a matter of time before a major, full-blown attack will be successful in penetrating the defenses of our critical infrastructure. We must take a hard look at the relationship between compliance and security; compliance does not mean we are secure. Success depends upon our ability to understand the risks, prepare for likely impacts, and take swift action to mitigate the damage when our risk management capability does fail.
Dan Didier (MSIA, CCSP, TSS) is an entrepreneur, speaker and Vice President of Services for GreyCastle Security. With nearly 20 years of security experience in a wide range of industries including critical infrastructure, finance, healthcare, manufacturing and other prominent industries, Dan brings extensive expertise as a technical security engineer and business-focused risk manager.
GreyCastle Security| http://www.greycastlesecurity.com