It’s been two years since the historic Colonial Pipeline ransomware attack shut down one of the largest and most vital oil pipelines in the U.S. While this hasn’t been the nation’s only attack on power infrastructure, it’s the largest publicly disclosed and, at $4.4 million, it was also the most-costly. Since then, we’ve learned that denying access to energy services has proved highly profitable to cybercriminals, given this potential for societal devastation.
Breaches are inevitable. Energy suppliers must prioritize strengthening their cyber resilience to ensure they can deliver services continuously and keep critical operations up and running during and after a cyberattack. Embracing an “assume breach” mindset will help energy infrastructure operators prepare for an attack to proactively mitigate the damage.
Four Ways Operators Can Harden Their Cybersecurity Postures
Integrating Innovation Across Security Programs. Operators are increasingly connecting decades-old systems as they advance their digital transformation initiatives to keep pace with the convergence of information technology (IT) and operational technology (OT). But trying to secure these aging systems with the traditional air-gapped model, in which digital and physical systems are entirely separate, has proven inadequate since the early 2000s. This approach cannot defend against sophisticated malware and artificial intelligence (AI)-generated attacks.
Although power generation technologies are beginning to incorporate more smart tools, these often lack adequate integration with security systems. This essential integration allows operators to segment modern assets and prevent attackers from moving around the network, eliminating the greatest risk from a breach. This is an essential function of an “assume breach” mindset and Zero Trust security overall. The importance of being able to integrate security technology onto modern platforms is often overlooked but cannot be understated. For example, virtualized smart substation controllers often contain firewalls but don’t consider the potential impacts or resource requirements that coincide with the complexity of managing large volumes of that type of technology.
Thoroughly Assessing and Mapping Network Infrastructure. Similarly, as the world increasingly looks toward cleaner energy sources, energy providers must collect more and more data using sensors from an increasingly diverse set of end users and generation facilities to assess grid supply and demand. ExxonMobil estimates that global energy demand increased by 15% from 2021 to 2022, driven by developing nations and international growth in industrialization. As a result, we will likely see an energy tsunami where demand outpaces supply. However, this drive to make the grid more efficient and effective will also drive the need for more protection.
Historically, OT network security follows the Purdue model to assess various layers within networks separated from one another by firewalls. However, this creates challenges because each layer is a trusted network that a piece of malware can potentially spread between. This can prove risky for energy organizations leveraging many systems and applications on a single device. The key to overcoming these risks is stepping away from protecting the entire network in favor of protecting individual resources and assets separately to segment the network and prevent breaches from spreading once inside. To get started, energy suppliers need to have visibility into their network so they have a thorough understanding of what they’re working with.
Alleviating the Strain on Security Teams by Leveraging Third-Party Expertise. Don’t underestimate the impact of the talent shortage plaguing cybersecurity efforts across IT and OT. With a deficit of more than 3.4 million cybersecurity professionals globally, it should come as no surprise that some power suppliers with even the best and most up-to-date strategies and intentions are unable to put an “assume breach” mindset into action. After all, many of them lack the necessary resources and expertise to do so. This problem is amplified by rampant innovation, making it difficult for short-staffed security teams to stay up to date on the latest tools and threats amid IT/OT convergence and accelerating technology diversification within energy production.
The solution? In order for short-staffed teams to employ a Zero Trust approach to security protocols, it may be necessary to leverage third-party expertise and people power. Turning to managed service providers or leveraging vendor-aligned experts will ensure energy providers can do everything possible to account for and secure their assets. As we established earlier, an in-depth understanding of all resources is necessary to minimize the impact of an attack and downtime in the event of a breach.
Segmenting Network Assets from a Diverse Range of Threats. IT and OT networks are becoming increasingly intertwined, and much of the nation’s energy network’s physical structures reside in open and remote locations. An energy supplier in the Midwest with an oil pipeline in a low-population area is at risk if someone can remain undetected while accessing a piece of equipment. After all, what would stop that person from breaking it open, connecting to it, and entering the network externally?
This is another area where Zero Trust is important. Prioritizing separating certain parts of the infrastructure minimizes risks and simplifies mitigation efforts. Understanding the state of the aforementioned device, ascertaining its state, trust level, connections, and potential impact through wireless connections protects larger smart grids. In this way, energy providers can thwart external threats by stopping them from spreading beyond their initial environment.
‘Assume Breach’ Is the Future, Not Buzz
IBM’s 2022 Cost of a Data Breach Report found that breaches at organizations without an incident response plan saw an average breach cost of more than $2.6 million (or 58%) more than those who did. Clearly the days of simple breach prevention are a thing of the past. Energy suppliers must prioritize implementing an “assume breach” mindset if they want to reliably protect their assets moving forward. The question is not if a breach will occur, but when.
While in many security circles, the phrase “Zero Trust” may be seen as hype or buzzy industry jargon, the fact remains that the need to segment networks and prepare for breaches is the reality, given increasingly sophisticated cyber threats and rapidly expanding attack surfaces. Power generators and suppliers can leverage an “assume breach” mindset to secure their networks by integrating innovation, mapping networks, segmenting assets, and leveraging third-party experts. The power industry must recognize this truth: cybersecurity is about surviving breaches rather than stopping them from happening.
—Trevor Dearing is director of Critical Infrastructure Solutions at Illumio.