Because the nation’s power grid is, by definition, connected, the energy companies that supply or support that grid are at tremendous risk. As the recent attacks on Experian and Yahoo clearly demonstrate, hackers with vicious intent are becoming quite adept at penetrating and exploiting gaps in cyber security in a wide range of industries.
The energy industry is no exception, and in fact is arguably at far greater risk than other industries such as health care and finance, if for no other reason that the power grid is so ubiquitous. It’s also tempting, depending on the motivation of the hacker who’s trying to penetrate it.
At first glance, the energy industry might not seem like a desirable target. Unlike the financial services industry where detailed information about customers (such as social security numbers and credit card accounts) can be put to use immediately for illicit financial gain, the energy industry might seem to offer little incentive for attacking it.
Unfortunately, there are several reasons that the energy industry is at risk.
What Does The Energy Industry Need to Guard Against?
Madness—An energy company could be vulnerable from a former employee who lost their job; in this case, madness represents anger and a desire to seek revenge. In another scenario, a hacker may just be flat-out crazy and has no motive other than to cause problems for the sake of causing problems. Either way, inconveniencing thousands or tens of thousands of people by forcing them to live without electricity for a time might seem to the aggrieved individual as a fair payback.
Mischief—To a young hacker looking to establish a name for himself—or perhaps herself—on the dark web, what could be more compelling than bringing down the power grid? When the lights go out on tens of thousands of people, the effects of the hacker’s efforts are immediately apparent locally and even nationally, and that means bragging rights.
Money—Increasingly—as the Yahoo event clearly indicates—hackers have figured out that their efforts can become quite profitable by demanding ransom from large companies with a vested interest in protecting sensitive data. In the case of the energy companies, it’s not data so much as the infrastructure of the grid itself, which, if taken down, creates havoc among the energy company’s customers. And the fact that the widespread loss of power costs a lot of money is just the tip of the iceberg from the energy company’s point of view.
Mayhem—Perhaps the most dangerous motivation for an attack on the energy industry could come in the form of a strategic attack by a hostile foreign government or terrorist organization. Bringing down a large swath of the United States’ power grid would have a significant and immediate impact on national security. In addition to the confusion sown in civilian communities—possibly as a “smokescreen” for some other form of terrorist assault—massive power outages would cause security issues, particularly at the local level. Such an attack might also impact the government’s ability to communicate, disrupting command and control functions as well. It would be dangerously naïve to believe that hostile foreign powers and the “evil doers” responsible for deadly terrorist attacks have not identified this glaring and open weak spot.
Clearly, companies in the energy industry are at risk. According to a recent study by a major network provider, 73 percent of IT security executives at energy companies indicated that they had suffered a public security breach of some sort, as opposed to an average of 55 percent in other industries. It should be noted, though, that due to the critical impact on the nation’s infrastructure, energy companies are required by law to report cyber intrusions.
How Can The Energy Industry React?
Most energy companies have acknowledged the risks they face by hiring seasoned and experienced executives to oversee cyber security issues. This has also led to a close alignment between Chief Information Security Officers (CISOs) and the executives that oversee overall security operations. One primary reason for this is the natural integration of the IT function with operations as “Smart Grid” technology and the Internet of things continue to merge the traditional (and traditionally independent) silos of Information Technology and Operational Infrastructure.
The professionals in charge of security and cyber security for energy companies are well aware that they are under constant attack, and because of the strict reporting requirements that they face, it’s a matter of public record as well. The challenge, of course, is not only what to do about it, but how to execute the plan once there is one.
The challenge becomes even more critical due to the nature of the energy industry itself. Not only are there laws and restrictions that demand transparency, but any public utility must, by law, operate in a very closely managed financial environment as well. An energy company cannot simply decide to unilaterally beef up cyber security and then pass the additional costs directly on to customers. Energy executives can decide how to use existing resources, of course, but if more money is needed, they must ask for the approval of regulators before any such costs can be passed along, or if they can even be passed along at all.
For these reasons, energy company security executives must do more with less, which is one reason that they are turning to the cost-efficiency and overall effectiveness of cloud-based security solutions as well as mobile security tools. These tools and solutions are typically easily administered and highly scalable while providing a wide range of deployment options and organization-specific configurations.
All of this translates into a tremendous opportunity for growth by any managed service providers to the energy industry. Effective cyber security for the energy industry needs to be far more expansive than basic compliance with regulations. Indeed, a company that focuses merely on compliance is at tremendous risk, as exposure to constantly evolving potential attacks increases daily.
What’s needed is a dynamic, knowledgeable and creative approach to the cloud-based security systems that protect not only the energy company, but its customers as well. An MSP that can design, develop, and deploy a fully featured, multi-faceted cloud-based security solution for the energy industry will become an important and integral part of their clients’ business operations and in the process will become an even more valuable business partner as well.