The threats posed to energy infrastructure by cyberattacks are real, and, during the past few years, the industry has seen a significant change from zero awareness to a constant headline presence. As a result of this shift, companies have put in place ambitious strategies to address the persistent risk that cyberattacks pose to their operations and their economies.
What makes cyberattacks so dangerous is not so much what companies see but what they do not see. These attacks can go unnoticed until the real damage has long been done, and sometimes the most dangerous threats do not make the headlines.
That’s the scary part, all the things that we’re able to anticipate or stop before they happen. There’s a lot more stuff going on than people realize.
“We’ve been dealing with this for many years, and it’s been an ongoing journey of a very focused effort,” said Gary Freburger, president of process automation at Schneider Electric. “It’s not one single event, it’s the accumulation of all the events that continue to happen and, frankly, all the events that happen behind the scenes that a lot of people don’t see. That’s the scary part, all the things that we’re able to anticipate or stop before they happen. There’s a lot more stuff going on than people realize.”
During a panel discussion on energy infrastructure at CERAWeek by IHS Markit, Freburger said organizations undergoing risk assessments of their facilities need to understand the critical parts of that facility. In a broader sense, those critical parts can be divided into three categories: people, processes, and technologies.
Freburger said that people are the most challenging element of any cybersecurity protocol and that the primary challenges in dealing with people revolve around issues of focus. Technology becomes more secure as systems continue to evolve, and process security is a matter of promoting best practices and cooperation within an organization. But getting people to be diligent in their actions and aware of how their actions affect overall security takes a lot of commitment.
While hackers are often skilled at devising workarounds to security barriers, simple phishing attacks can be the most effective way to break through. A 2017 report by Cofense estimated that 91% of cyberattacks and their resulting data breaches began with a spear phishing e-mail. Benjamin Beberness, vice president and global head of the oil and gas business industry unit at SAP, said that no company is immune to this threat, including his own.
“We actually hired some ethical hackers for our company, and, within 20 minutes, they were within our company through phishing,” Beberness said. “They could have worked through our firewall eventually through force, but why do that when they could just send out an email? It was very well done. They promised whomever responded to surveys an iPad, and there would be a winner. They had all the right motivations in there to get people to trust them.”
Another core issue in establishing effective cybersecurity protocol is the convergence of information technology (IT) and operational technology (OT) departments. Traditionally, IT personnel have taken care of critical business applications and related IT cybersecurity, while engineering and operations personnel handled OT cybersecurity and process control. Organizations typically viewed IT and OT as separate domains with clear differences in technology and environmental constraints, but they have increased their use of IT-based technologies within OT systems to help handle the higher costs associated with maintaining increasingly complex systems.
This convergence should help spawn greater operational efficiencies—among other things, IT personnel can help OT better align with business systems such as enterprise resource planning and manufacturing execution systems—and enable the digital manufacturing transformation. It can also help eliminate security gaps between IT and OT technologies that hackers had been able to exploit in the past. But the transition is not easy, and it requires a high level of collaboration between previously siloed sectors. It involves the migration of historical data and supervisory applications to the cloud, as well as the replacement of legacy systems with standards-based commercial hardware and software.
Michael Lester, director of cybersecurity strategy, governance, and architecture at Emerson, said he thought “convergence” was too strong of a word to describe the current shift in IT/OT strategy. The shift, he said, is more about establishing the interoperability of systems, getting them to talk to one another to help a company achieve its business goals and objectives.
“There’s a lot of aging control systems and protocols that weren’t built with security in them. The advantage with cloud technologies and the newer, more modern technologies is that the security is built in them and they have a lot more capabilities than the older infrastructures. But, when you start merging those two together with IT/OT collaboration and technologies, you really have to architect a secure solution and make sure you have a business purpose and a strategy to enable that,” Lester said.
Beberness said one of the major obstacles to IT/OT convergence is the perception that firewalls are an effective security measure. He said the convergence requires cybersecurity teams to rethink their roles.
“I think we have to figure out how we’re going to have the right operational awareness,” Beberness said. “I think it is all about risk, making sure we have the right risk/reward around our investments in cybersecurity from the control systems and so forth. That’s where you need to evaluate where you want to spend your time and energy. Sometimes, everyone focuses just on that perimeter, but there are certain systems you have internally that could have safety issues if they get penetrated.”