Connected Plant

Four Questions You Must Ace to Ensure Sound Cybersecurity in OT Systems

Some cybersecurity experts believe hackers today pose a greater threat than ever to power plants and electric grids. Much of the operational technology (OT) used in power stations and throughout the grid was installed at a time when cybersecurity was more of an afterthought than a focal point in the system design. Furthermore, the pool of bad actors has grown increasingly large and complex, including nation states, activist groups, organized crime syndicates, malicious company insiders, thrill seekers, and a bevy of other folks with a variety of untoward motivations.

Hackers are found in all parts of the world, meaning unscrupulous activity is occurring around the clock. The troublemakers aren’t always looking to deploy cyber warfare strategies on the spot, but rather, they often want to gain access to systems so they can cause chaos when the action would be most beneficial to their cause and/or most inconvenient for the system.

People in the power sector haven’t been oblivious to the threat. A skilled group of professionals has been assembled to monitor systems and develop countermeasures to thwart possible attacks. Still, the vectors and tactics utilized by hackers are constantly evolving, which makes the task of protecting OT systems challenging.

“What worries me right now about the threat landscape overall is that I see it accelerating, in particular, in the OT or the industrial cybersecurity environment,” Ian Bramson, global head of Industrial Cybersecurity at ABS Consulting, said as a guest on The POWER Podcast. It’s not only the frequency of attacks that has changed, but also the kinds of attacks, what’s being targeted, how systems are being hit, the goals of the instigators, and the people responsible for the offenses have all shifted, he said.

Bramson believes the conflict in Ukraine has increased cyber risks. “It’s what I call a multi-player game now,” he said. As an example, he mentioned a hacker group that goes by the name “Anonymous.” Days after the war in Ukraine began, Bramson said the group announced it had “declared war” on Russia. Anonymous is not based in Ukraine or affiliated with the country in any known way, it simply decided to take a stand against Russia in response to the country’s aggression. While that in itself doesn’t seem to pose a great threat to U.S. systems, it increases cyber activity overall and could presumably encourage pro-Russian hackers to seek revenge, taking aim at Western targets in response.

Furthermore, Bramson suggested much of the cyber activity that’s being undertaken by Russia and its supporters is politically motivated. Attacks are one way, for example, that Russia could try to fight back against sanctions enacted by European countries and the U.S. without firing missiles and starting a physical war with the West.

“All that is increasing the pace of attack. So, I think it absolutely is increasing the threat environment for anyone here,” Bramson said. “And it brings that battle—that war—into our systems, into our devices, into our operations of our power and energy plants. That’s where a lot of these conflicts are going to be playing out and that’s what we have to be on guard for.”

To ensure systems are protected adequately from cyberattacks, Bramson said leaders overseeing critical infrastructure must start by answering four basic foundational questions, which are:

  • Do I know what I need to protect?
  • Are there holes in my protection?
  • Can I detect if a bad actor is in the system?
  • If I find infiltrators, can I get them out?

Another Bramson recommendation is to team up with proper experts. “Partner up with people who know what they’re doing in the OT environment,” he said. “That domain expertise is important—people who know and live and breathe that environment can help protect it—so make sure that you get that kind of a partnership and expertise.”

To hear the full interview, which includes additional discussion on regulatory requirements and compliance issues, air-gap myths, lessons learned from past attacks, and workforce responsibilities in regard to cybersecurity, listen to The POWER Podcast. Click on the SoundCloud player below to listen in your browser now or use the following links to reach the show page on your favorite podcast platform:

For more power podcasts, visit The POWER Podcast archives.

Aaron Larson is POWER’s executive editor (@AaronL_Power, @POWERmagazine).

SHARE this article