56% of utility companies worldwide have lost valuable data, time and money to cyberattacks, just in 2019. Why is the industry facing more cyberattacks now, and what is the secure way forward?
The US government was forced to issue emergency legislation on Sunday after Colonial Pipelines, the largest fuel pipeline in the US was hit by a ransomware cyber-attack. The Colonial Pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, gasoline and jet fuel. DarkSide, a cyber-criminal gang on Friday took control of over 100 GB of data and work to restore the service is still ongoing. This is just one of the many cyberattacks on the Energy sector critical infrastructure in the recent past.
Baltimore City in May 2019 woke up to a crippling ransomware attack that disabled their energy lines for weeks, incurring an estimated $18.2 million in damage. In Florida, there was a botched cyber attack recently to poison the water network jeopardising 15,000 people. Closer to Europe is the Ukraine Power Plant hack of three power generation plants, five years ago, that caused an outage for 80,000 customers.
The number of planned attacks on Power and Utilities (P&U) companies has seen a steady uptick in recent years.
56% of utilities have lost to cyberattacks in 2019.
And it is a direct attack on the business continuity and the bottom line.
76% of energy executive respondents, cited that business interruption was the most impactful cyber loss, including direct loss of revenue, restorative costs associated with reviving operations or improvements to cybersecurity defences, regulatory fines, and legal implications, not to mention the embarrassing reputational damage.
Technical and Human Vulnerabilities
Why is the P&U industry one of the most hacked? Going by the McKinsey report, the P&U industry is more vulnerable to cyberattack due to three weaknesses.
First, there has been an increased number of threats targeting nation-state actors to denote security and economic dislocation or for hacktivists to register their opposition to certain agendas. Second, because of their geographic, organizational complexity, and the decentralized nature of the P&U companies, it gives more “area” for an attack.
And thirdly because of the unique interdependencies between the electric-power and gas sector, and OT and IT networks. The wide gap between physical and cyberinfrastructure with all its wireless smart meters, and the interfaces that condense tons of data on energy generation, transmission, distribution and network into the palm of your hand – makes energy sector companies more vulnerable to contemporary cyber attacks.
The weakest link, though, is human. Employees or users have invariably spread many malware and phishing attempts by hackers. It all points toward the need for awareness and training.
Cyber Security Challenges for the Digitally Expanding Energy Sector
One of the biggest challenges for the utility industry is to have “an up-to-date, built-in cyber resilience in their system and organization that can withstand cyber-attacks and guarantee recovery when hit,” believes Jos Menting, Chief Technologist Cybersecurity, ENGIE Laborelec (Belgium). Jos, who spoke with Prospero Events previously, said that to maintain uninterrupted supply organizations should have cybersecurity behaviour as second nature and address the lack of trained cybersecurity personnel.
The lack of trained cybersecurity personnel is one of the top concerns among CISOs
The interconnectedness of energy and power systems and the contagion effect also pose a tall challenge for energy companies, regulators, and stakeholders. Many companies also don’t seem to have a dynamic risk management protocol in place if they were to be attacked. Jan-Tilo Kirchhoff, Managing Director, Compass Security, Germany who took part in our 6th Cyber and SCADA security for P&U industry 2019, affirms, “security needs to be treated on the same level as safety and health requirements.”
How to Move Towards a Secure Future?
The transforming characteristics of the energy sector and a developing vulnerability profile require a step-change in risk management with a focus on creating dynamic resilience capabilities. These include an agile and adaptive response framework focused on regeneration and rapid recovery.
A Cybersecurity first culture is the need of the hour
The P&U industry is perhaps all too aware of risk management. In a digital scenario, though, preparation exercises seem to lack. Eight out of 10 energy sector organizations revealed they are not actively recruiting digital transformation skills automation or AI. With an aging workforce and the rapid advancement in digitization, this is not good news.
It starts with a cybersecurity first culture within companies. This is critical as attackers keep growing and you need to be up-to-date to defend your business.
We are sharing an outline of an action plan by experts, here.
Here is a golden chance to be updated with the best tech and network with the best minds in Cyber & SCADA security in Europe. Join the 8th Cyber and SCADA Security for Power & Utility industry 2021 to join the conversation on the fast-evolving threat landscape and best practices to prevent, mitigate and manage incidents.