The energy industry must work together to restore trust in the digital age.
When Hurricane Harvey hit, Houston knew what to do. Emergency response plans went immediately into effect to save lives and jump-start a long recovery.
But as energy leaders convene here in the world’s energy capital for CERAWeek, we need to ask ourselves a tough question: Do we have a plan for when we get hit with cyberattacks?
Not if … when. Cyberattacks against the power and oil and gas industries are now as inevitable as hurricanes. And now that cyber warfare has evolved beyond merely infecting computer systems, attacks also are as capable of damaging the physical world.
Cyber criminals are focused on exploiting newly digitalized networks and internet-of-things connected equipment in order to reach critical infrastructure. They want to harm our businesses and ultimately harm the public by disrupting essential public services, from electricity to gas and water.
Furthermore, we believe that both large and small attacks—already a round-the-clock reality—are eroding confidence in the digital solutions that will help energy companies drive competitiveness and better serve customers.
A recent study of the oil and gas industry conducted by the Ponemon Institute found that 68% of respondents reported at least one security compromise in the past year, with 30% of all attacks targeting operational technology. The U.S. Department of Energy also reported last year that America’s electricity infrastructure was in “imminent danger” from cyber attacks that are “growing more frequent and sophisticated.”
No one company or organization can take on this threat by themselves. We believe we need to come together now around a proactive approach rooted in shared responsibility. Attacks are now happening all the time. Every organization will get hacked – and managing these hacks is now standard operating procedure for the digital age. As we focus on prevention, we must also invest in increasing resiliency within our operating technology: emerging digital technologies need to be natively secured to prevent the contagion we’ve seen in recent large-scale hacks. We also must develop response plans to successful hacks that minimize damage.
These are among the goals of a new Charter of Trust our companies have joined. It’s a global alliance aimed at securing everything from power grids and oil rigs to factories and transportation systems in the digital age. And as a first step, it lays out a number of principles that we think are particularly relevant to the energy industry.
First, ownership for cybersecurity should be reflected organizationally at the highest levels of every company. The title of CIO, or chief information officer, is now easily recognized. As we go forward, CISO, or chief information security officer, should be as ubiquitous. That said, security is still everyone’s task. The walls separating informational technology (IT) from operational technology (OT) must now collapse in order to meet the challenge.
Second, we need to tap into the best thought leadership out there—and there’s no question that you’ll find it in both the public and private sectors. Deepening a joint understanding between businesses and governments will help crystallize the most effective cybersecurity requirements and advance a culture that continuously innovates and adapts to new threats.
Third, we need to address a major cybersecurity skills gap. According to research group Cybersecurity Ventures, the worldwide deficit of qualified cybersecurity professionals will reach 3.5 million by 2021. It’s not just a shortage of cyber security degrees either. We need to expand the discipline to incorporate new knowledge and competencies, particularly in the new field of industrial cyber.
A new commitment to training within schools and companies can develop the talent we need, and it is critical that we do. Because when organizations lack cybersecurity expertise, they lack the ability to institute secure-by-design practices along with the resolve and capability to address vulnerabilities. Instead of fixing problems, they sometimes simply wall themselves off from the benefits of connectivity in the digital age.
Fourth, we need to increase transparency. It’s impossible to address a problem if you don’t know it exists. Every enterprise should be exploiting available monitoring tools to identify weaknesses and to rapidly detect risks or security breaches. The next step for transparency, though, is what we hope to achieve through the Charter of Trust. That’s the willingness to share insights in real time to serve an even larger goal: developing a common strategy and set of blueprints for securing our industry.
We believe the level of cyber threat demands our immediate attention, and we urge more companies to join the Charter of Trust. More shared knowledge can only lead to more security. And more security can only ensure—as we’ve seen so far—that the rewards of digital reinvention far outweigh the risks.
Leo Simonovich is vice president and global head, Industrial Cyber and Digital Security at Siemens Energy. Scott Goodhart is vice president and chief information security officer at The AES Corporation. Yuri Rassega is chief information security officer at ENEL.