Reactive Cybersecurity
Why do businesses make cybersecurity a priority only when they have been attacked? Is there enough resource allocation to handle business resilience? Do businesses even have a complete understanding of the latest security implications and their own vulnerabilities?
Most businesses understand that data is essential to improving operational performance and that data technologies provide opportunities for more-accurate risk assessment and control of safety-critical systems. Nonetheless, statistics show that the threat of unauthorized data access and cybercrime is growing—and systems or data hacking can directly affect a company’s ability to control its own safety systems. This is supported by recent reports, including the Ponemon Institute’s “Cost of Cyber Crime Study,” which reports that the number of breaches is up an average 27.4% year on year and 86% of companies around the world reported that they had experienced at least one cyber incident in 2017.
Don Crouch is driving efforts to equip the energy industry with mitigation measures to defend itself. He plays a pivotal role in Lloyd’s Register’s (LR’s) energy business in technical governance and support for cybersecurity. LR recently acquired Nettitude—a provider of cybersecurity services. Crouch said, “Operational and technology security is a key concern for our clients across all industries, as we see increasing dependencies on technology and challenges created by Industry 4.0.
“The energy mix, including renewable power generation, nuclear, and oil and gas, is diverse in terms of the pace at which data and technology are implemented. Wind and solar tend to be on the forefront of advanced connectivity and analytics, while oil and gas tends to lag in the same technology space. The IT (information technology) data-management and communications ends of business operations have been seen as a major opportunity for cyber theft and corruption. To date, this has been a focal point of cybersecurity efforts in all energy sectors. I see the next big area of cybersecurity concern in oil and gas as the rapid advancement of connecting previously isolated operational technology in the field to the massive data-management pathways. This is where cybersecurity efforts now need to be focused so that machinery and objects are protected from manipulation and potential compromise.”
Crouch explains that it is critical for the industry to reexamine and further develop those systems for the protection of the energy field. He said he supports the view that cybersecurity is still at an early stage of development across many industries and that not enough is known about the sources and frequency of attacks. Of course, responses and capabilities vary, with some companies committing resources and focus to advancing in this area. Other, usually smaller, companies lack the scale required to develop and effect solutions, so they will look to external sources.
Does Connectivity Mean Vulnerability?
The increasing digitization of the energy industries has elevated the risk associated with cyberattacks because hackers can now access data and systems from the outside. “The more you connect it, the more potentially accessible you make it,” Crouch said. “With the utilization of marketed offshore and onshore power-generation infrastructure, and the late-life extension or decommissioning of older infrastructure, this is going to become more of an issue. In the process, modern technology increases overall safety and day-to-day performance. In addition, newer infrastructure can be more connected, allowing for better on- and offshore monitoring.”
In addition to hardware-based threats, software presents a different type of risk. “Your network is tied into your vulnerable information,” Crouch said. “So, if somebody gained access through the physical elements (ports, servers, etc.), now they have access to the financial data—just by inserting a push email.”
Cross-Collaboration Is Part of the Resilience Tactic
Cybersecurity skills are vital for today’s industry. This means training or investing in specialists as well as operational teams so that actions and processes are thoroughly considered in the context of cybersecurity. LR has developed a set of procedures to help companies tackle cybersecurity issues. Crouch described these as a complete overview of the systems, equipment, and personnel on a facility—a means of evaluating which elements are most vulnerable to attacks—and then a comparison of their condition to international and regional standards.
“Most cyberthreats today gain access to operational systems via connected personal and professional computers,” Crouch said. “The most effective way for future protection of critical infrastructure is to combine efforts and resources to quickly identify common platforms for machine learning and edge computing that will remove the need for human connectivity to operational technology systems.”
Employee Awareness
The “Global State of Information Security Survey 2018” by PwC found that current employees remain the top source of security incidents. Upward of 90% of successful cyberattacks are estimated to succeed because of human error.
Kristina Drage-Arianson leads LR’s energy cyber consulting services in Norway and said she believes awareness through training is essential. “You need to really work with your people and embark on conversations with them about the threats that are out there,” she said. “More-effective employee training is a key factor in reducing the occurrence of cyberattack and the costs of dealing with breaches after they occur.”
Drage-Arianson explained that the service LR offers helps companies align their people, processes, and technology with their own company’s priorities and risks, including threat intelligence, governance, risk and compliance, security testing, training and strategy, managed security services, and incident response.
A Cyber Horizon
“Cyber risks are rising, and society’s technological advances appear to have a hand in it,” Drage-Arianson said. “We believe there will be more attacks disrupting GPS (global positioning system) and other geolocation systems to cause disruptions in the physical world, from energy-supply chains and shipping risks to consumers reliant on GPS-based products. As Bitcoin and other cryptocurrencies become more widely adopted, we expect to also see more frequent and severe ransomware campaigns.”
Crouch said he is hopeful that the development of policy and strategy being developed by the EU, the UK and the US governments on how to manage and control cybersecurity will help. “I think all of the industry regulators for each sector of industry have generated policies or directives based on information from strong participants in the cybersecurity community,” he said. “Each policy specifically addresses infrastructure concerns that are relevant to all of that region’s citizens. It will take constant effort in perpetuity to insure a company’s infrastructure stays as secure and stable as possible. While present policies are sufficient, however, the enhanced planning for long-term diligence should be the next immediate effort.”