Oil, gas and utility companies have historically paid less attention to cybersecurity and IT than to physical security and operational technology, but there is a growing awareness within the sector that this imbalance is unsustainable. Cyberattacks on critical infrastructure have shown how vulnerable physical equipment and systems are and how much damage a successful attack can cause.
With valuable assets including customer data, intellectual property and networked heavy machinery, energy companies are prime targets for cyberattackers. As these threats grow both in sophistication and in number, leaders at many energy companies are understandably turning a more focused eye toward shoring up their own networks and systems. However, many organizations find themselves playing catchup, a situation exacerbated by a shortage of experienced cybersecurity professionals who have the industry-specific knowledge needed to protect industrial systems from attack.
To effectively combat cyberthreats, energy companies must first assess their vulnerabilities and then implement a comprehensive cybersecurity strategy. This will, of course, involve the introduction of sophisticated new technical solutions into the IT and operating environment. But any good plan must also establish effective policies and procedures to ensure that these solutions perform as designed.
The many moving parts of a supervisory control and data acquisition network (SCADA) can make managing security a daunting task. Energy and security experts offer these tips:
Monitor for abnormalities: Raj Samani, chief technology officer for Europe, the Middle East and Africa at Intel Security, exaggerates that protecting entire SCADA systems is easier than safeguarding his daughter’s iPad, because security administrators can expect to see a very specific type of activity on them. “They shouldn’t be running iTunes on them, hypothetically,” he says. “Creating a baseline for what should and shouldn’t run on them should be achievable.”
Protect against internal threats: If a company does experience a SCADA breach, the most likely culprit is not an outside group, but a disgruntled current or former employee, says Tim Haïdar, editor in chief of Oil and Gas IQ. This means companies must studiously track who has access to different systems and revoke credentials when users no longer need them. “The most important thing about any company is its people,” Haïdar says. “They’re also the biggest threat to any company. Keep on changing the locks.”
Plan for the worst: No security system is foolproof, and companies need to develop and test cyberincident plans in the same way that they test their business continuity plans, says Jim Guinn, global leader for cybersecurity practice in energy, mining, chemicals and utilities at Accenture. “This is not a one-and-done activity,” he says. “The plan must be exercised annually, because threat vectors and attack surfaces change as technology evolves.”
To learn how energy companies can prepare for and respond to cyberattacks, read the white paper “Protecting IT Resources in Oil, Gas and Utilities.”