Companies in the energy and utility industries face a daunting challenge: The security threats posed by hackers, rival companies, foreign governments, terrorists and others continue to grow in both number and sophistication.
Meanwhile, the consequences for a security breach in these sectors can be catastrophic. In addition to protecting their intellectual property and customer data, these companies must also rely on their cyberdefenses to protect vast swaths of critical infrastructure.
This is a burden that is unique to the energy and utility sectors, and it is a weighty one. Managers at many organizations may know that they need to improve their cybersecurity efforts, but they may not be certain where to start.
Typically, the first step is to assess an organization’s current cyberassets and vulnerabilities through threat checks, penetration testing or other forms of risk assessment. In a threat check, IT administrators or outside consultants monitor the network to see whether it has already been compromised by malware or other types of attacks. Penetration testing is a more involved process, during which cybersecurity professionals assess an organization’s vulnerabilities by attacking them directly with penetration attempts. Essentially, they act as hackers in order to see what sort of access determined attackers might be able to gain on a network, and what sort of damage they might be able to cause.
Once stakeholders within an enterprise understand their current vulnerabilities, they can implement the elements of an effective security environment and draft a plan for what to do before, during and after a cyberattack.
The elements of an effective security environment include:
Physical security: Most energy companies have no shortage of fences, cameras and motion detectors to protect their farflung physical assets. But it is worth mentioning these security measures within the context of cybersecurity, as well. In 2014, unknown attackers cut through major telecommunications cables and shot up transformers at a PG&E electrical substation outside of San Jose, Calif. The attack caused power to be briefly rerouted from the facility, and some media reports described the event as an attempted assault on the nation’s power grid.
Perimeter security: Measures to defend the network perimeter include traditional firewalls and next-generation firewalls, unified threat management and intrusion prevention and detection. None of these tools is foolproof, and some security experts have compared firewalls to “hand washing” — a simple hygienic practice that can greatly reduce the risk of infection but cannot possibly catch every single threat. Intrusion prevention and detection tools create another layer of perimeter security, warding off attacks and alerting IT managers when the network has been breached. Unified threat management solutions typically incorporate these and other tools.
Authentication: Many security experts have arrived at the conclusion that a password alone is not a sufficient authentication measure for granting access to sensitive systems and data. More and more, two-factor authentication (using some combination of passwords, key cards, biometrics or other authentication factors) is becoming standard practice, especially for executives. However, authentication is a complicated issue for energy companies, because workers need to be able to quickly shut down certain equipment during emergencies, without going through a time-consuming multifactor authentication process.
Device and endpoint security: Individual machines must be protected with encryption, anti-virus and anti-malware software, as well as other security measures. The increasing presence of mobile devices on corporate networks — especially employee-owned devices brought into the enterprise through bring-your-own-device programs — makes endpoint security especially important, as organizations must ensure that no sensitive data lives on these devices.
Monitoring: Data logging, packet inspection and network traffic monitoring can all help organizations detect anomalous activity that could indicate an intrusion. For these monitoring activities to be effective, though, IT administrators must have a firm grasp of what normal network traffic should look like. This can be achieved by taking baseline “snapshots” of network traffic at times when there are no intrusions. To be confident in this baseline, organizations must first meticulously scan their networks for malware and purge the malicious programs from their networks. Otherwise, the traffic generated by these programs could be mistaken for healthy baseline traffic, leading to future malware going undetected. An effective security strategy should include an action plan for before, during and after an attack.
For details on designing an action plan that keeps corporate data secure, read the white paper “Protecting IT Resources in Oil, Gas and Utilities.”