More electric utilities and energy companies are turning to cybersecurity vendors for protection against attempted attacks, a growing threat highlighted by the recent disclosure of Russian hacking into their communications networks last year.
The U.S. utility sector faces millions of attempted cyber intrusions a day. Duke Energy, one of the largest power companies in the nation serving 7.6 million customers reported more than 650 million attempted cyberattacks in 2017 alone. While a cyberattack hasn’t successfully shut down the U.S. power grid, the threat is real.
“If you want to shut down the infrastructure of a country, you shut down the grid, you shut down the fuel generating refineries,” Eddie Habibi, founder and CEO of PAS, a cybersecurity firm for energy and power industries, told Bloomberg Environment. “That’s what happens at the start of a war, you attack their critical infrastructure.”
A recent alert from the Department of Homeland Security revealed that Russian actors targeted hundreds of energy and nonenergy companies’ networks in 2017, which began through spear-phishing emails sent to vendors serving the power industry in early 2016. The hackers successfully accessed one small power plant’s operational technology network, but didn’t shut it down. Five natural gas pipeline companies’ communication systems were hacked in April, but no pipelines were shut down.
“The energy sector is definitely a target for everything from criminals to nation states,” Jeanette Manfra, assistant secretary for the Department of Homeland Security’s Office of Cybersecurity and Communications, told Bloomberg Environment.
Energy Sector in the Cross-Hairs
The frequency of cyberattacks on the energy sector targeting systems that run critical infrastructure, like generation plants has increased at least sevenfold over the last seven years, Habibi said.
A cyberattack refers to an effort to access data or systems remotely, often with the intention to shut down operations, like a power grid. Cyberattackers can use malware or email intrusions to access a system and perhaps a larger computer network.
Energy companies are turning to cybersecurity providers like PAS and Siemens to better prepare for attacks. And their options are growing: There are more than 850 cybersecurity firms in the greater Washington, D.C., region alone, according to research from American University’s Kogod School of Business.
To combat threats, companies have to protect their industrial control systems—the computers that monitor and control physical devices such as valves and pumps at power plants or refineries, Habibi said.
“Operational technology security has become probably one of the hottest topics at the board level of a lot of the major companies,” he said.
Cybersecurity vendors are working specifically in the energy sector to fill gaps due to a growing shortage of cyberprofessionals. There is a projected shortage 1.8 million cyberprofessionals globally by 2022, according to a 2017 study by the Center for Cyber Safety and Education.
Stay Calm, Focus on Tech, Culture
Habibi’s first words of wisdom for utility and energy companies: “Stay calm.”
But, he added, “We have a lot of work to do both on the technology side as well as on the culture side.”
“We need to bring a focus to the culture of cybersecurity,” he said. In any given day, you can find at least 1,000 cybersecurity violations at a power plant, including opening scam emails, using unsecured USB drives, and sharing passwords with co-workers.
DHS has said most cyberattacks are occurring in the energy sector. But that’s largely because it has been one of the best at reporting cyberattacks to DHS, according to Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, which represents investor-owned utilities, like Duke and Southern Co.
“Are we seeing an increase in threats from sophisticated actors? Yeah I think we are,” he said. “Part of what we’re seeing is not just that we’re seeing more of these threats, it’s that we’re actually catching more of them.”
“The power of analytics is so important,” Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens, told Bloomberg Environment.
“We can do a lot through monitoring, visibility, and detection. But it’s not enough to just detect. It’s equally important to understand, to contextualize and to prioritize,” he said.
Siemens partnered with two major cybersecurity firms in 2017 to create a managed cybersecurity business offering, which helps energy clients monitor and detect cyber abnormalities. The first company partner was Darktrace, which specifically works on anomaly detection by helping companies get better visualization into their assets to see attempted intrusions.
“We provide visibility that humans simply can’t see or compute,” Jeff Cornelius, executive vice president of ICS Solutions at Darktrace, told Bloomberg Environment.
The second Siemens partnership is with PAS, which involves asset management.
“We manage, secure, and optimize the performance of the industrial control system,” Habibi said.
A Digital Village
DHS recently announced the formation of a new National Risk Management Center, which solely focuses on sharing cybersecurity information with the energy, financial, and telecommunications sectors.
The Energy Department opened its first cyber-specific office—the Cybersecurity, Energy Security and Emergency Response—in May.
And the Electricity Subsector Coordinating Council is a government and industry group that meets regularly to share information among DHS, Energy Department, energy trade associations, and energy company CEOs, including Southern Co.
“It’s going to take a village,” Simonovich said. “It’s important to establish an ecosystem of partners that are solving discrete problems, but that in combination can provide the complete solution.”