UNDERSTANDING AND MITIGATING THE RISKS OF CYBER ATTACKS IN THE ENERGY INDUSTRY
When it comes to dealing with cyber threats to energy systems, companies not only struggle to assess the risk but also often fail to develop the in-house tools to understand their own response. This point was underscored by Michael Bell (photo), President, CEO and Member of the Board of Directors, Silver Spring Network, during a World Energy Congress session outlining the key challenges facing companies contending with the risk of cyber attacks.
“Everyone is rushing to adopt technologies but standards need to be used and best practices need to be implemented. It’s important to make sure you have the expertise in-house and not farm it out to someone else. You need to understand it,” Bell underlined. He also described gaps in security, including in the utilities sector: “There are people deploying proprietary, unproven one-off technologies into the supply grid.”
Sean Cleary, Founder and Executive Vice Chair, Future World Foundation, agreed: “Many of those seeking technology solutions don’t know what they’re looking for. Technology vendors have no incentive to do a risk analysis assessment. They have an incentive to sell their product.”
O.H. Dean Oskvig, Vice Chair for North America, World Energy Council and President and CEO, B&V Energy, summed up the extent of the threat: “There are two types of companies: ones that have been hacked and ones that don’t know they’ve been hacked.” He noted that as most energy infrastructure was designed before modern IT tools and systems. Security to protect this infrastructure tends to focus on physical defences at the expense of addressing cyber threats.
There was advice offered to energy sector companies on the steps they can take to address internal risks, such as employee carelessness. Cleary summed these up as a matter of, ‘attitude, training and experimentation.’
Bell highlighted that it is important for different departments within an organisation to communicate on the issue.
Dean advised that companies carry out simulations of being hacked: “That’s what’s going to reveal where your weak spots are.”
Sharing information and experience will prove vital to tackling the threat. Best practices in dealing with cyber security have been developed for the internet and energy companies can borrow from this experience.
Andrew George, Chairman of Energy Practice, Marsh, addressed the question of how companies can predict threats. George said that while a single-site refinery might be relatively safe, risk increases with operations involving multi-site, multi-system assets. The ability to assess cyber risks is also enhanced with information gathering.
“The more data points you have the more able you are to accurately predict that certain systems have certain vulnerabilities,” George mentioned. This information gathering could be further enhanced by sharing between companies. Surveys and analyses in the oil and gas industry have led to general risk improvement. George added: “We’re at the early stages of replicating that from the cyber perspective.”
Companies that can demonstrate an understanding and management of cyber threats will be better positioned to attract investment and secure insurance. “I’ve seen increasing pressure on companies such as utilities to prove cyber security,” Oskvig added.
A consensus among cyber security experts holds that cyber attacks on energy infrastructure are growing in number, scope and sophistication. A Symantec Corporation study reported that 43% of global mining, oil and gas companies experienced attacks in 2014. Such attacks can disrupt operations, causing blackouts, oil spills, data leaks, losses in production and physical damage, as well as impacting shareholder confidence.
Recent cases include the December 2015 attack on Ukraine’s power grid, which left tens of thousands of customers in the dark.
As highlighted in the September 2016 World Energy Council report, ‘The road to resilience: Managing cyber risks’, increased digitisation of the industry, as seen in smart meters and automated industrialised control systems, has put operations at greater risk for cyber attack.
The report made a series of calls to action for addressing the issue, saying insurance providers should adapt coverage to the new risks, energy companies should view cyber threats as a ‘core business risk’ to assess and respond to and governments should support them in this.
Energy companies have been accused of lagging in their preparation for system attacks, which have been described as an ‘uninsured time bomb’ for the industry, as policies frequently exclude them. However, steps are being taken to address the issue, including awareness training and improvements to operational systems to strengthen security.
An ABI Research study predicts that oil and gas industry spending on cyber security will grow to USD 1.9 billion by 2018. Collaboration between companies, as well as between the public and private sectors, is likely to prove crucial to mitigating the risk.
Source: World Energy Congress