Building a sound security strategy for an energy sector company

As more and more attacks against companies working in the energy sector become public, it is becoming increasingly clear that those systems are far from impermeable. And it’s not just state-sponsored attackers that are looking for a way in: opportunistic cyber crooks wielding crypto-miners and ransomware don’t care where the target computer is located or what systems they will disrupt.

It’s no wonder, then, that 70 percent of energy security professionals are concerned that a successful cyberattack could cause a catastrophic failure.

“Energy and industrial automation companies have to deal with a distinct array of cyber threats—including not only traditional IT concerns but also a range of operational technology (OT) related endpoints, e.g. programmable logic controllers (PLCs) and industrial I/O modules that do not appear in a typical IT environment. These include well-known OT protocols such as Modbus or DNP3, but also a variety of lesser-known, often proprietary protocols,” says Gary Williams, Senior Director of Cybersecurity Services Offer Management at Schneider Electric, the European energy management and automation solutions giant.

“While the OT energy space is full of many connected devices unique to industry, the attack vectors and hacking approaches are surprisingly similar to any cyberattack in other industries. For example, ransomware arrives most often via phishing emails, and Trojans embedded into OT devices still require credentialed access to the network, so proper defense should start with the human interacting with the system and include the implementation of appropriate behaviors and site security practices.”

Minimizing risk

CISOs working in energy and industrial organizations have to understand the cybersecurity risks they are facing and pinpoint the things that need to be protected.

“Experts who have the best knowledge of the plant and its systems can provide a ‘cold eyes’ review to help new CISOs develop a picture of what vulnerabilities they have and how serious they are,” Williams advises.

To quantify risk in an energy organization, CISOs should focus on the likelihood and severity of an attack. The Common Vulnerability Scoring System (CVSS) can help with that, as it provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

“Security leaders should use CVSS to establish how seriously at risk different elements of the plant are, then match that up to the potential of the loss of that element in the plant. To do this, they will need subject-matter experts on plant operations to contribute to the overall plant risk management strategy and cybersecurity assessment,” he notes.

The most severe risks must, naturally, be addressed first, and resources need to be focused where they will have the most significant effect.

Should the company invest in cybersecurity insurance?

In the energy sector, delivering energy profitably to customers is the primary mission. This makes it crucial to keep the business in operation even through a cyberattack.

“While cybersecurity insurance is a crucial part of the overall risk management plan, it alone will not bring business continuity,” Williams points out. “Also, insurance may cover a monetary loss, but it does not include the loss of reputation or other damage that would result from a loss of service.”

What CISOs should do is make sure they are working with employees to reduce threat exposure.

Security is part of the operations lifecycle, incorporating stronger employee training to plug every hole. This includes everything from heightened personnel screening requirements to regularly reviewing and assessing site and system security protocols to ensure antivirus software is always up to date.

“As an extension of this, CISOs must make themselves and their teams aware of cybersecurity standards for the manufacturing industry, then implement and always adhere to those standards. For example, they should learn about ISA99/IEC 62443, the rigorous standard for industrial automation technology,” he adds.

The goal is to make engaged vigilance a regular activity and bringing accountability to each employee for their part in the security story.

The overarching objective is to make sure that attackers, whether they are nation-state perpetrators with political agendas or low-level cyber criminals motivated by financial gain, look elsewere because they can’t identify security gaps.

“It’s essential to build a sound strategy and execute that strategy with due diligence, and the risk of cyberattack will be significantly reduced,” he concludes.