Published on 12/05/2016 | Technology
Cybersecurity is today, and will continue to be a major issue and focus area for the bulk electric system (BES). The information age has reduced the clearly defined relationship between cybersecurity and the physical environment. There are many examples of devastating impacts stemming from energy infrastructure disasters and the energy sector's increasing automation and reliance on the digital world for its operations has vastly increased its vulnerability to cyber attacks. State actors with advanced capability (usually governments) are persistent and increasingly more sophisticated, as malicious software, technology and cyber criminal knowledge becomes more prevalent.
The following are a list of key findings that should be factored into your cybersecurity business strategy:
In the energy industry, the evolution of technology itself is partly responsible for today’s elevated threat environment. Increasingly, industrial and process control systems communicate with each other and the devices they manage via Transmission Control Protocol/Internet Protocol (TCP/IP), the common language of the Internet. Many of these systems have not been hardened against security threats and may be exposed to the Internet or corporate IT systems (intranet). By reducing available ways of attack, typically including changing default passwords, placing firewall restrictions, closing unused ports, conducting secure code review of applications, removal of unnecessary software, implementing least privilege access, and the disabling or removal of unnecessary services; we reduce the attack surface and potential vulnerability for exploit.
The challenge in addressing current and future cybersecurity compliance strategy lies in cutting through the vast web of laws, regulations and interagency agreements expected to play a role in the cybersecurity space. In light of the current cybersecurity risk environment, failure to take reasonable, preventative steps to mitigate cybersecurity risk, may subject the private sector to government investigative and enforcement action. The highest priority for energy companies wishing to mitigate their potential liability for cybersecurity breaches is in understanding which regulators might come looking for answers in the event of a cyber-incident and what information or documentation they will seek. The second step is to understand government expectations in regard to prioritization of energy assets and their associated risk. This assists with cost-effective compliance program development and implementation.
For years, policymakers have been concerned about a catastrophic cyber attack that could disrupt the electric grid, causing widespread power disruption. Some leading military powers are developing cyber warfare capabilities that aim to take down the IT systems of opposing armies and supporting civilian infrastructure in the event of conflict. Our modern armed forces’ mobility, logistics, and communications systems would likely crash without reliable sources of energy. Nation-states’ intelligence, security, and military services bring the most sophisticated and best-resourced tools to cyber intrusions against the energy industry . It is likely some energy firms’ networks have already been penetrated by cyber intrusions that are, in effect, military reconnaissance probes.
The cybersecurity environment is constantly changing and so has the business perspective as it relates to business products. In general, the Information Technology (IT) department no longer dictates what software the business will use, i.e. Blackberry's, businesses tell the IT department what technology the business unit needs to integrate and be supported. Businesses have to make the decision to keep pace with competition as the adoption of new technologies can drive up our product or service value. Any digital device that is used directly or indirectly to help run our business is a potential point of vulnerability.
The business puts a lot of faith in the judgment and intuition, as it relates to people, whether employees, contractors, consultants, vendors, etc. We believe that the people we hire have the organization’s best interest at heart and exercise appropriate care when it comes to company security. Many cybersecurity experts have identified people as the highest risk area for a business, regardless of industry. People have emerged as a key risk as they, knowingly or unknowingly, can act in a counterproductive way to cause significant damage to the business. This is in part driven by the greater access individuals have to critical information and systems.
“One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data (Verizon 2012 Data Breach Investigations Report, 2012). While businesses can outsource the responsibility for delivery of a security service, they cannot outsource accountability, should that security service fail. Organizations should work closely with suppliers to minimize the risk of security failure.
The greatest shift in cybersecurity relates to the focus and the responsibility – moving from strictly an “IT issue” to one of a business function (Wince, 2016). IT is now treated as a shared experience, a daily due diligence every employee must make time for, including all level of employees. The Target breach of 2013 forever changed the cyber environment, with 110 million customer records being compromised, creating a domino effect of accountability within corporate operations. In 2014, industry leaders’ eBay, JP Morgan Chase and Sony Pictures were hacked. 2015 has seen the healthcare industry’s largest intrusion (80 million records compromised) when Anthem revealed it had suffered a breach and The Office of Personnel Management was breached, compromising more than 22 million records. Of those five data breaches, two of the top executives lost their jobs as a direct result and two other executives were later “transitioned” out of the business.
This article was originally posted on LinkedIn.