Prioritizing Cybersecurity in the Energy and Utilities Industry

Justin Turner, Director Energy & Utilities Cybersecurity and Data Privacy
Heather Grissom, Manager Energy & Utilities Cybersecurity and Data Privacy

As the E&U industry becomes increasingly reliant on technology to perform business operations, securing the systems becomes fundamentally important. Attacks in the industry can lead to serious consequences, including financial losses and business disruptions.

At a glance

The big picture

As the E&U industry becomes increasingly reliant on technology to perform business operations, securing the systems becomes fundamentally important. Attacks in the industry can lead to serious consequences, including financial losses and business disruptions.

What are the threats?

  • Ransomware attacks are becoming one of the most significant and prolific threats to the E&U industry.
  • E&U companies also face threats from supply chain attacks, incomplete integration of systems, incident response failures, and identity and access management inefficiencies.

Where are the concerns dictating prioritization of efforts?

  • Securing the field — operational technology (OT)
  • Third party risk management
  • Security skills shortage
  • Operational resiliency
  • Data privacy and security

The bottom line

Poor cybersecurity posture can result in vulnerabilities that leave a facility open to an attack, which can result in data theft, financial loss, physical equipment damage, disruption of business operations, brand erosion and even loss of life.

Go deeper

Read more below.

Cybersecurity continues to be an increasingly important priority across multiple industries. One industry where it might not have received adequate attention historically is energy and utilities (E&U), but the impact of a cyber attack on critical infrastructure could be detrimental. As the E&U industry becomes increasingly reliant on technology to perform business operations, securing the systems becomes fundamentally important. Attacks in the industry can lead to serious consequences, including financial losses and business disruptions. Operational disruptions from attacks could have a direct impact on people’s everyday lives and the services we depend on, such as electricity and the gas we put in our cars. More detrimentally, attacks in the E&U industry can lead to environmental harm, economic instability and have a domino effect on other industries and businesses.

What are the threats?

The threat landscape for E&U companies is significant since cyber attacks can occur across the chain of business from generation and transmission to distribution and customer delivery. Additionally, due to the nature of legacy technologies used and the combination of physical and cyber interdependencies, the window of opportunity for cyber attacks is becoming expansive.

Ransomware attacks are becoming one of the most significant and prolific threats to the E&U industry. The largest cyber attack against the energy infrastructure occurred through such an attack on Colonial Pipeline in May 2021. The attack threatened remote takeover for over 5,500 miles of pipeline, and company leaders proactively shut down operations for six days. The shutdown at the largest provider of fuel on the East Coast created fuel shortages that caused lines at the pump, dramatic price increases and hoarding of items in short supply. Colonial Pipeline paid a ransom worth roughly $4.3 million — and the attackers impacted operations without ever accessing field equipment directly.

Alongside threats of ransomware, E&U companies also face threats from supply chain attacks, incomplete integration of systems, incident response failures, and identity and access management inefficiencies. Regardless of the threat type, companies should start protecting their vulnerabilities and addressing security concerns.

Where are the concerns? Where should we prioritize our efforts?

Securing the field — operational technology (OT)

Operational technologies (OT) such as SCADA and industrial control systems (ICS) are vulnerable to attacks since they are connected to wider networks for the business. Since OT systems were not designed with security in mind, most are inherently immature and lack the proper security controls. Additionally, the costs of upgrading an OT network are high, which can be difficult to justify for executives and shareholders, since the cost does not provide an easily discernible benefit to the business. However, the cost of an OT system being breached is significantly higher.

With the 24/7 nature of OT production environments, maintenance windows are infrequent. This leaves a small window for patching, updating and rebooting, usually causing hesitation about making changes to a production system.

There are resources that companies can refer to as a good starting point for securing OT systems. In April 2022, the National Institute of Standards and Technology (NIST) released the SP 800-82r3 Guide to Operational Technology (OT) Security, which provides guidance on how to improve the security of OT systems while addressing their unique performance, reliability and safety requirements.

Additionally, regulatory requirements are starting to be enforced in the industry around securing OT systems. In May 2021, in response to the attack on Colonial Pipeline, the U.S. Transportation Security Administration (TSA) announced reporting requirements for critical pipeline owners and operators. The requirements called for designation of cybersecurity coordinators with 24/7 availability, review of cybersecurity practices, identification of vulnerabilities and reporting of remediation results to the Department of Homeland Security (DHS) within 30 days, as well as reporting of any cybersecurity or physical security incident within 12 hours of identification.

In July 2021, the TSA called for pipeline operators to implement cybersecurity contingency and recovery planning, as well as reviews of cybersecurity architecture to focus on cyber hygiene practices like multifactor authentication, patching and proper segmentation of networks. TSA regulations are now being pushed to railroad companies and are expected to follow for other sectors.

Third party risk management

In March 2022, a cyber attack on Toyota’s supply chain shut down 14 factories in Japan for over 24 hours, causing financial loss, business disruption and impacts to its reputation. A supplier of plastic parts and electronic components to the automaker was attacked with malware, and it was unable to ship parts. Due to Toyota’s heavy reliance on the supplier, this attack caused the company to suspend production operations, reducing production by 5% or 13,000 units.

Safety and availability are usually the first priorities when selecting third parties, but risk management should also include security risk. When investing in third parties, it is important to identify the business impacts to the organization if a key supplier in the supply chain (either upstream or downstream) is compromised. Due diligence activities should be performed to ensure that data is being protected if third parties are hosting systems or applications.

Security skills shortage

Traditionally, E&U companies have been focused on keeping business operating and have not prioritized security. Since the industry is shifting to adapt new technologies to business processes, the needs for security skills and personnel are growing. According to Cybersecurity Guide, “The global deficiency in skilled cybersecurity workers exacerbates the difficulties in meeting today’s energy industry challenges. America needs well-trained cybersecurity professionals. These professionals are required for both private industry and the government for the protection of critical infrastructure assets.”

One option in response to talent shortages in the marketplace is investing in managed security services. Managed security services providers (MSSPs) are third-party professionals that monitor and manage assets aimed at protecting data from potential cyber attacks. These services are remote and often offer 24/7 coverage. Benefits of hiring MSSPs include cost savings, access to expertise and tools, automatic detection and resolution of vulnerabilities, scalability, quick response time, and more time to focus on the business.

Operational resiliency

In the event of a cyber attack, it’s crucial for an organization to be able to continue or restore operations. In the past, operational resiliency has been primarily focused on back-end corporate systems and ensuring proper recovery from data centers. However, if remote field sites are not able to be reached or imperative systems (e.g., SCADA) go down, manual procedures should be in place to continue operations to serve customers.

Business continuity planning should be an essential part of the organization’s priorities. By properly planning for business disruptions due to cyber attacks, national disasters, or other extreme events, the organization can minimize negative impacts.

Data privacy and security

While new technologies offer new opportunities and benefits for utilities, consumers and vendors in the E&U industries, they also increase the amount of data captured and utilized. On average, the cost of a data breach rose by 10% from 2020 to 2021. The E&U industry ranked fifth in data breach costs, surpassed only by the healthcare, financial, pharmaceutical and technology verticals, according to the 17th annual Cost of a Data Breach Report. The report, which has grown into a leading benchmark resource in the cybersecurity industry, shares that the average cost of a data breach in the E&U industry is $4.65 million.

Social engineering, system intrusion and web application attacks made up 98% of energy data breaches in 2021. Phishing, or social engineering, attacks were the most common, although ransomware attacks continue to be a threat for the sector.

It is important to identify which data is deemed sensitive for the organization. Once this is defined, it is essential to determine where it lives and which business processes leverage that data before it can be properly protected.

What are the risks of not making cybersecurity a priority?

In the E&U industry, it is more necessary than ever to consider cybersecurity. Poor cybersecurity posture can result in vulnerabilities that leave a facility open to an attack, which can result in data theft, financial loss, physical equipment damage, disruption of business operations, brand erosions and even loss of life.

How do we get started?

Managing cybersecurity risk in the E&U industry is challenging for many organizations. To counterbalance the ongoing cyber threats, the industry must make cybersecurity a priority and ensure that it is part of the core business strategy. The key is to appropriately identify areas of risk to the organization, prioritizing the areas listed in depth above.

Protiviti has an experienced team of professionals with expertise in the E&U industry, as well as the security and privacy space, with experience in leading frameworks, compliance regulations and providing greater assurance for the safety and resiliency of operational environments. Our team understands the unique safety and operational challenges of E&U environments and has experience assisting clients with improving the security and resiliency of their production environments and networks.

Add comment