As the power and utility industry increasingly digitalizes itself and gets connected, it has become more and more vulnerable to cyber and other information security threats. Virtually every infrastructure is dependent on the grid, disruption due to any reason would, therefore, have a domino effect on every other critical service including transportation, health, telecommunications, etc.
According to an Accenture research, only half of the utility executives thought they were well-prepared for the challenges of interruption from cyber attack. So we asked the experts from our speaker panel at the 6th Cyber & SCADA security forum for Power & Utilities (2019, Berlin) about their opinion on the threat landscape and possible ways to prevent incidents and mitigate their effect. This article is a roundup of their insights into this very significant topic.
What, in your professional opinion, is the biggest cyber/ information security challenge today facing the utility sector?
“Even more than other industries, utility companies are faced with the challenge of integrating legacy systems and machines into today’s connected world. On top of that, regulatory requirements driven by the threat of cyberwar and cybercrime force utility companies to improve their security at a rapid pace, which often requires a complete change of mindset and culture.”
Jan-Tilo Kirchhoff – Managing Director, Compass Security, Germany
“The most severe cyber threat is those that lead to an interruption of supply. The weakest link in the system is people themselves, as far as lack of awareness and skills gap are concerned. Especially people from operations are not very familiar with the existing kinds of threats and tend to believe that their systems are isolated and safe. On top of that, collaboration inside an organization or among organizations of the same sector can be of great significance. After all, it is a human factor. Last but not least, we have to operate (often legacy) systems that do not have security (and/or privacy) by design, due to lack of broadly accepted security requirements.”
Panagiotis Panousos -Information & Communications Technology (ICT) Director, DESFA, Greece
“The biggest challenge for the utility industry is to have an up-to-date, built-in cyber resilience in their system and organization that can withstand cyber-attacks and guarantee recovery when hit; uninterrupted supply is the main goal. We are still at the dawn of getting organizations at a proper maturity level with regard to cybersecurity behavior. On top of that, we see that cybersecurity is an ever-changing phenomenon that requires the adoption of the cybersecurity program all the time.”
Jos Menting – Chief Technologist – Cybersecurity, ENGIE Laborelec, Belgium
“The biggest challenge will be to implement all new emerging technologies such as Industrial IOT, smart sensors, cloud computing, and Augmented Reality in a secure way in the current landscape.”
Arnold Schuur – ICS/SCADA Security Engineer, ICS Defense, The Netherlands
“From my point of view, one of the biggest challenges on cyber and information security is the understanding of the risk from a business perspective and the necessary knowledge transfer related to this risk. From my work with utilities, digital threats are seen as a problem of the IT department rather than a challenge for the management department. This view is understandable and partly true but has to be shifted to the management level as far as the utility goes digital.”
Guido Gluschke – Director Institute for Security and Safety, Brandenburg University of Applied Sciences, Germany
“In my opinion, the operator’s supply chain is not enough involved in the adoption of security programs and the consequence is a relevant delay in the development and availability of secure solutions for remote control, monitoring, and automation.”
Massimo Rocca, Chairman of European Energy – Information Sharing & Analysis Centre (EE-ISAC)
What, as a priority needs to be done to prevent potential IT threats in the near future?
Our experts agree that prevention is better than cure, and advocate integrating security right from the design phase of any project, rather than as something that needs to be fitted in later on. The overwhelming human factor in cybersecurity incidents all point towards more attention and focus on awareness and training.
“Any project that calls for connected control systems be it a new power plant or an upgrade to the existing sensor’s in a pipeline network must take IT security into account from the start. Security needs to be treated on the same level as safety and health requirements already are today. Meanwhile, utilities should take a minute to reflect on their current IT infrastructure and find out which assets are already exposed to the internet today to prevent immediate threats.”
Jan-Tilo Kirchhoff – Managing Director, Compass Security, Germany
“Cybersecurity awareness in conjunction with encouraging collaboration can lead to an appropriate amalgamation of expertise and skills from both utilities and cybersecurity domains. By such means, we could provide the fertile ground for setting cybersecurity standards and information sharing like vulnerabilities, threat analysis or even cybersecurity incidents.”
Panagiotis Panousos -Information & Communications Technology (ICT) Director, DESFA, Greece
“There is no such thing as a silver bullet to tackle the potential future IT threats; we don’t know them and we don’t know what they look like. What we can do is build systems that are constructed with cybersecurity in mind when designed and at the same time create a cybersecurity culture in the organizations that make the people behave securely when working with the systems. The latter is often underestimated, while studies proof that close to 85% of all cyber incidents is related to human behavior. “
Jos Menting – Chief Technologist – Cybersecurity, ENGIE Laborelec, Belgium
“From my experience, I see that at many companies the “basics” (such as security awareness, IT-OT segmentation, anti-virus, patching, strong passwords, etc) are still not fully implemented, which means that they are unnecessary at risk. I would also like to see companies implement a “security-first” mindset within the entire organization.”
Arnold Schuur – ICS/SCADA Security Engineer, ICS Defense, The Netherlands
“One of the main priorities is a strategic approach to deal with cyber and digital threats, cooperation with other stakeholders, including stakeholders on the academic, national and international level, in order to understand the risk in a proper way and to find effective answers to unsolved questions related to cyber.”
Guido Gluschke – Director Institute for Security and Safety, Brandenburg University of Applied Sciences, Germany
“To prevent IT threats, we need to bring transparency in products, vulnerability management for providers, assurance processes, and continuous testing and training for operators. Information Sharing and Analysis Centres (ISACs) play a significant role in preventing and mitigating security threats to the utility industry. ISACs shall encourage best practice sharing, awareness and mutual information exchange among the members of the network of trust. Mitigation of threats is achieved through information on the attack schemes and on the emerging trends. ISACs have also a leading role creating the conditions among operators and providers to share security programs and development roadmaps in a controlled community.”
Massimo Rocca, Chairman of European Energy – Information Sharing & Analysis Centre (EE-ISAC)
Our systems will continue to face attacks, the more connected we get, the more would be the risk. An organizational culture that emphasizes on security awareness at all levels would contribute to reducing the human factor in such incidents, and designing all systems with security in mind and continuously updating and upgrading the security measures is definitely the way to go.
To know more about the cyber & SCADA security practices of the industry leaders in the utility sector, and to engage in networking focused dialogue with experts, join our 8th Cyber & SCADA Security forum for Power and Utilities Industry 2021.
