This year the World Economic Forum’s annual Global Risks Report named cybersecurity as the biggest single risk. New Power asked the European Network for Cyber Security’s Michael John how energy companies are responding
How do you see cybersecurity threats evolving?
Attacks are becoming more sophisticated and capabilities more advanced. The industry experienced its first real-world attacks with two incidents that affected the Ukrainian power grid in December 2015 and December 2016. Another example would be the Triton malware, which successfully targeted a safety instrumented system (SIS) of critical infrastructure in the Middle East at the end of last year. We can expect this trend to continue.
What new actions should companies take to decrease vulnerability to cyberthreats?
Utilities now have elaborate cybersecurity programmes that address security architecture and design as well as security operations. It is, however, difficult to address the security of legacy systems, because they were not designed with security in mind at the time they were deployed. As our grids become smarter and more connected, this becomes a problem.
We want to help the community by providing our members with guiding documents, security requirement baselines and reference architectures to address security and secure operation of new as well as legacy systems.
One of the biggest vulnerabilities hackers can exploit remains human error
Utilities also need to keep working to increase cybersecurity awareness and skill throughout their organisations. One of the biggest vulnerabilities hackers can exploit remains human error – think of phishing scams, for example. By encouraging industry-specific cybersecurity skills in technical staff – and general awareness throughout the organisation – utilities can make a big difference. That’s part of the thinking behind our new Red Team/Blue Team training programme, which we’ve been conducting with utilities since December.
In your opinion, do you think companies are taking any wrong or misguided actions on cybersecurity?
Generally, energy companies aren’t doing much wrong on cybersecurity – they’re doing the right things. They just need to do more of the right things. Most companies now understand the importance of cybersecurity and the potential for cyberattacks. It’s more a matter of raising awareness of threats and the potential impacts on critical infrastructure.
With this comes understanding of how an organisation could be hacked and what can be done to prevent it. So more training and pan-industry collaboration are essential. If there is any misguided action, it is to try to tackle security alone.
Have lessons been learned about the best way to ensure individuals follow the practices required to maintain cybersecurity?
Security is a process and requires the commitment of everyone involved throughout the ranks of an organisation. It will not be successful without senior management support, for this we observed security awareness sessions being very effective where impacts of potential security breaches can be demonstrated.
This also applies for people working daily with critical infrastructure components to ensure they are following the guidelines for a secure operation. In addition to this, it is of utmost importance that any projects that deal with critical infrastructure follow a security-by-design approach, incorporating the right measures at the start.
First published in the February 2018 issue of New Power Report