3 Nov 2021

Editor Introduction

Many of the threats facing the energy and utility sector are related to cybersecurity, as recent incidents have confirmed. Another problem is that operating systems for utilities tend to be outdated, which presents extra challenges in a connected world. There are also physical security demands, not to mention regulatory and social issues. We asked this week’s Expert Panel Roundtable: What are the security trends in energy and utilities?

Greg Kemper Genetec, Inc.

The energy and utilities industry is transforming from what once was an analog, scale-driven, centralized model to a digital and distributed energy model. Consumer preferences, evolving regulations, and the changing threat landscape mean that security strategies need to evolve. Security professionals need solutions that can secure a growing array of assets in an expanding and dispersed geography, while managing the growing number of intrusions from sophisticated hacker groups and staying on top of stringent regulations. With a unified security solution, critical infrastructure organizations can manage access rights for employees and contractors, leverage video analytics to detect potential intruders and drones beyond the fence line, and optimize the sharing of digital evidence with internal and external auditors. They can also guide their operators through security and safety incidents as well as operational tasks to ensure that teams operate within regulatory boundaries, using interactive standard operating procedures (SOPs) designed with compliance in mind.

The low-carbon energy transition is a prominent security trend impacting the energy and utility sector. This transition itself is an uneven and complex process, which is driving uncertainty for businesses. Some risks are presented by breakthrough technologies, but risk is also due to the differing interests each government considers in their domestic energy policies; from national security and economic competitiveness to affordability and access to energy sources, to name a few. Amid this uncertainty, energy companies are also facing increasing environmental, social and governance (ESG) risks both through shareholder pressure and environmental activist groups. The recent Extinction Rebellion protests across Europe, and the court ruling against Royal Dutch Shell in the Netherlands are two examples of these risks, with activists aiming to pursue similar cases against other companies in Europe. Going forward, energy and utility companies will need to give greater consideration to how their operations can impact the environment.

Saumitra Das Blue Hexagon Inc.

Energy and utilities, being part of critical infrastructure, are heavily under attack for different reasons. Actors range from ransomware operators, state-sponsored groups to hacktivists. Focusing on the IT/OT boundary and protecting access to the operational technology (OT) networks is critical because defending against a cybercriminal once inside your OT network is much harder, and keeping all OT systems updated/patched is expensive. Also, as part of digital transformation, utilities are increasingly utilizing analytics to optimize operations and consequently moving important functions to the cloud. So, they need to invest in holistic security detection and response strategies that work on-premises and in the public cloud. Finally, ransomware continues to be a challenge, and utilities are investing beyond endpoint detection and response (EDR) and focusing on network detection and response (NDR) and correlating security findings in their security information and event management (SIEM). A proactive AI-driven approach is needed to defend against ransomware.

Critical infrastructure needs protection and control, yet we find that many utility companies still use outdated magstripe and barcode technologies. Compromised access and service interruptions pose serious threats to end users and even to national security. They incur downtime penalties and tremendous exposure to reputational risk. We see a strong desire to combine improvements in access control convenience, with contactless solutions and migrations to more secure credential technologies, for both physical and logical access. Operating companies must comply with stricter regulations, standards and audits at all levels, from cabling to hardware to digital, and increasingly engage security consultants to assess solutions and vendors. Upgrades are hampered by a complex and diverse install base with a wide range of access needs: from onsite staff to contractors, field technicians in remote areas and supervisors handling sensitive data or overseeing distribution lines. Despite this arduous challenge, foresight and prevention remain essential – act now.

People are starting to think of security beyond just computing devices; they’re finally realizing the importance of securing all connected devices they use. There is an incredible benefit to utilizing IoT technology to improve energy efficiency: you can monitor all energy usage, optimize your energy plan, and get important insight into when and where repairs or upgrades are needed. But without a holistic plan in place to secure both at the edge device and in the cloud —making sure devices are encrypted and monitoring the cloud for threats new and known—you could find your organization vulnerable. Partnering with a company that specializes in energy efficiency and has a thorough plan for security can help business owners safely save energy and costs without needing to be experts on the latest in security or energy technology. And they can focus on what they do best: running their business.

Joe Morgan Axis Communications

Cybersecurity has become increasingly top-of-mind for utility and energy companies. Following recent attacks such as SolarWinds and Colonial Pipeline, more critical infrastructure sites are investing in advanced technology and intelligent automation solutions to improve their overall security posture and detect complex threats. Beyond physical attacks, the potential for cyberattacks is heightened as more renewable energy sources are connected to the grid, increasing the number of power generation points that can be hacked. As such, investments in integrated physical and cybersecurity solutions are paramount to mitigate the end-to-end vulnerabilities that threaten the energy and utilities landscape. Emphasis must be placed not only on securing the physical operations and perimeter, but also on protecting the systems and solutions that are the foundation to safe and secure critical infrastructure sites.

This year has been a difficult one for our nation’s most critical infrastructure, from the deep freeze that paralyzed the Texas electric grid, to the ransomware attack that shutdown the Colonial Pipeline and the wildfires raging across the U.S. Western states. These risks create a landscape that is increasingly complex for security teams. Without question, the breadth and depth of threats to energy and utilities require Artificial Intelligence (AI) and machine learning (ML) to monitor and correlate to critical infrastructure. Pipelines and power lines stretch for thousands of miles. How do you monitor critical events like severe weather, hurricanes, wildfires, and man-made incidents that can affect infrastructure? The answer is AI and ML. AI/ML can scan thousands of structured and unstructured data feeds to identify critical events, determine their severity and correlate them to critical infrastructure. Using validated data sources helps reduce noise and gets information into the right hands.

Eddy Bobritsky Minerva Labs

The energy and utilities sector security trends are a combination of two different challenges. On one hand this industry is experiencing a rapid growth in deployment of digital tools that will make the industry more efficient, environmentally friendly, and customer friendly. On the other hand, in the core side of the manufacturing, most of the systems still rely on SCADA OT, which is based on legacy systems that haven’t been updated for a while. Due to these main challenges, we believe that the security trends that will lead this industry will be preventative security tools that will secure the digital assets, the networks and the connection between the companies and their clients. There will probably be a lot of investment in protecting the legacy systems, as this industry understands that most of the security tools are not built to secure legacy systems that are not supported by their manufacturers anymore.

Security trends or priorities are largely driven by the biggest threats, which can generally be categorized as physical or digital. What makes these sectors unique is the product they deliver, which is mission-critical, it must perform without incident, it’s a prime target for terrorism, must be physically protected during natural disasters, and represents a big environmental concern. It’s diverse, crossing large areas of land, requiring the support of large teams of people, each doing their job to ensure performance and safety. Therefore, physical performance is a top priority with in this sector, the challenge is, due to the physical nature of the business and lack of visibility, the data used to manage operations is historical, time consuming to compile, difficult to verify and error prone. Trying to ensure physical operating compliance with all the daily responsibilities needed to keep the people, property, and product safe is almost impossible with current methodologies.

Editor Summary

Energy and utilities are a mature market that often uses legacy systems badly in need of being updated. Cybersecurity threats have emerged dramatically in recent years, and in the utility sector, there is more at stake given its ranking in a nation’s critical infrastructure. Addressing the needs of this market will continue to present onerous challenges for the security industry for years to come.