Industrial device connections are expected to reach 37 billion by 2025 [1]. Such rapid pace of digitalisation comes at a cost, as utilities risk exposure to increasingly sophisticated levels of cyber attack. In our latest white paper, Steve O’Sullivan, Enzen’s Head of Cyber Services, explains the value of taking a holistic approach to safeguarding critical national infrastructure.
The growing cybersecurity threat to utilities is a consequence of three major factors. Firstly, there is an increased number of actors targeting utilities. Examples include nation-states seeking to cause security and economic dislocation, cyber criminals who understand the economic value of the sector and 'hacktivists' out to oppose publicly utilities’ projects or agendas.
The second vulnerability is utilities’ expansive attack surface. This is a result of their geographic and organisational complexity, including the decentralised nature of their cybersecurity leadership. Finally, the power and gas sectors’ unique interdependencies between physical and cyber infrastructure make such organisations more vulnerable to exploitation.
The nature of the risk
The cyber threats facing utilities include typical ones that plague other industries: data theft, fraud and ransomware. However, other scenarios that utilities need to be cognisant of in today’s digitalised landscape include targeted supply chain malware attacks, Internet of Things (IoT) vulnerability attacks and the infiltration of industrial IT networks.
Recent studies show 93% of all organisations with OT environments experienced hacking in the past twelve months [2]. Meanwhile, the average energy sector data breach cost has risen more than 13% since 2019 to $6.39 million – a higher cost than the global average of $3.86 million [3].
Moreover, many utilities have weakened cybersecurity for various reasons. These include inherited and immature cyber programmes that either cannot, or only partially, meet the requirements, or a disparate and fragmented asset inventory across all sites. There may also be a disconnection between existing cyber programmes and digital, data and cloud infrastructure, plus a lack of sufficiently trained cybersecurity personnel.
Steve O'Sullivan, Head of Cyber Services, Enzen UK"Cybersecurity is inextricably linked to all other digital and data initiatives, yet many utilities are not accustomed to thinking of themselves as digital organisations. This means they often lack the cybersecurity technologies, systems, personnel and protocols to protect modern industrial operating environments."
What you should do
There is no magic wand solution to these challenges. But there are some fundamental steps you can take to achieve stronger OT security. Potentially this could be a list of one hundred or more tasks, but it should start with building an ecosystem of protection. In other words, a structured approach that applies communication, organisational and process frameworks along with technical improvements.
Fundamentally, utilities need to recognise that they cannot do this all at once. To begin with, the priority measures are:
- focusing on critical areas first
- understanding your assets landscape and where they are blind or weak
- securing smart devices in your OT environments
- receiving regular Cyber Threat Intelligence (CTI) feeds
- training cyber teams in IoT/IIoT security frameworks such as the IoT Security Institute and the Smart Cities and Critical Infrastructure Security Professional certification.
The importance of a SmartCyber approach
Cybersecurity is inextricably linked to all other digital and data initiatives, yet many utilities are not accustomed to thinking of themselves as digital organisations. This means they often lack the cybersecurity technologies, systems, personnel and protocols to protect modern industrial operating environments.
This is where a more holistic SmartCyber approach can prove invaluable. SmartCyber is a metaphor for the fusion of smart technology-based solutions, viewed through the prism of next generation business / societal models and their associated risks. By focusing on the needs of today and tomorrow, utilities can acquire a more long-term, sustainable view of where to target risk reduction measures.
At Enzen, we’ve developed a SmartCyber methodology and framework that brings together established security standards into a new target model. It’s particularly suited to organisations that have OT, ICS/SCADA, IIoT and smart initiatives underway.
Underpinning a best practice SmartCyber approach are four key principles:
- starting with a holistic OT security maturity assessment and considering the broader SmartCyber (digital, data changes, cloud) elements that form part of the overall cybersecurity risk profile
- mapping key business functions, roles and asset ownership, prioritising and protecting the most critical assets and systems
- undertaking a proper risk assessment (not a risk register) and agreeing with IT teams what risks the OT function may face and how to mitigate them
- developing real, useful metrics that demonstrate improvement.
By adopting these four fundamental steps across OT, digital, data and cloud infrastructure, utilities will have quantifiable confidence they’re better protected against current and emerging cyber threats.
Steve O'Sullivan, Head of Cyber Services, Enzen UK"At Enzen, we’ve developed a SmartCyber methodology and framework that brings together established security standards into a new target model. It’s particularly suited to organisations that have OT, ICS/SCADA, IIOT and smart initiatives underway."
To discuss the issues raised in this article, contact Steve at steven.osullivan@enzen.com. For more details on our zenSmartCyber solution, click here.
Sources
[1] Industrial IoT: Market Outlook, Technology Analysis and Key Players 2020-25, Juniper Research, November 2020.
[2] 2022 State of Operational Technology and Cybersecurity Report, Fortinet, June 2022.
[3] Cost of a Data Breach Report 2020, IBM Security and Ponemon Institute, July 2020.
About the author
Steve has more than 25 years of experience in cybersecurity, digital transformation and consulting and has an MBA from Staffordshire University. He is one of a handful of people in the UK to be accredited as a Smart Cities and Critical Infrastructure Professional (SCCISP). As well as working in leadership, strategy and operations across cyber and digital, Steven has spent more than a decade as a trainer and as a visiting lecturer at two UK universities. His specialist areas include smart cyber applied to smart cities, utility plants/critical national infrastructure, digital risk, IoT/IIoT, AI and cyber risk, threat intelligence, cyber resilience, privacy, data protection and Security Operations Centres.