Dec 20 2019

Why Penetration Testing Is Vital for Energy and Utility Companies

This tactic provides a number of valuable use cases of the energy sector.

Security is a critical concern for energy and utility sectors for obvious reasons. As the operators of a key element of critical infrastructure, these companies represent an attractive target to cyber adversaries. In fact, every year, the energy industry experiences 66 million security events.

To combat these threats, energy and utility companies must invest in multilayered cybersecurity environments. Along with implementing tools that detect and ward off attacks from malicious actors, it’s important for organizations to conduct ongoing assessments and evaluations to better understand the effectiveness of their efforts and identify any remaining vulnerabilities.

Penetration testing (or pen testing), for example, can help companies to uncover their security weaknesses before attackers have a chance to exploit them. In a penetration test, white hat hackers use the same tools and techniques deployed by cybercriminals against an enterprise network, and then use the information discovered during testing to help the targeted organization improve its security posture.

The Unique Security Demands of the Energy Sector

While energy and utility companies face many of the same cybersecurity challenges as organizations in other sectors, they also have their own unique set of hurdles to overcome and high-value assets to protect. The rise of Internet of Things (IoT) solutions is affecting nearly all industries, but the prominence of industrial control systems such as supervisory control and data acquisition (SCADA) networks makes the protection of connected equipment particularly important for energy and utility companies. Because of these considerations, it’s important for organizations in this sector to deploy pen testing techniques developed specifically for their environments.

As the U.S. Energy Department’s National Electric Sector Cybersecurity Organization Resource (NESCOR) recommends, “Penetration testing should be performed on a periodic basis depending on the criticality of the targeted system.” Tests should be conducted at least annually and also should take place following any major upgrades or changes to systems. The testing can target a number of control systems collectively or focus on a single system specifically.

MORE FROM BIZTECH: Read about how utilities are using advanced video for security.

How to Prepare for a Penetration Test

Pen testing in an environment with high-value, connected physical assets requires extensive planning. Energy and utility companies preparing for pen testing should ask themselves a number of questions: What are the goals of pen testing? What are the top threats to the environment? Which key players should be involved, and how should testing activities should be communicated throughout the organization? For energy and utility companies, safety is always a top priority.

As the various tasks of the pen test are completed, testers should document each vulnerability they uncover; common issues include unmanaged devices that are nonsecure and systems that rely on inappropriate trust relationships. Once all of the tasks are completed, the testing team should review all of the vulnerabilities discovered. In some cases, multiple minor vulnerabilities may create an avenue for an attacker to escalate their efforts and exploit a higher-risk vulnerability.

Many organizations lack the necessary skills to conduct an effective pen test, so they engage a third party. This not only provides a comprehensive assessment of the company’s systems but ensures an unbiased look as well. The testers deliver a final report that prioritizes the more serious vulnerabilities uncovered and lays out a plan for mitigating them. Many companies that employ an outside team of testers find that their internal cybersecurity teams leave the engagement with improved skills learned from the third-party experts.

Thossaphol/Getty Images