The Unique Security Demands of the Energy Sector
While energy and utility companies face many of the same cybersecurity challenges as organizations in other sectors, they also have their own unique set of hurdles to overcome and high-value assets to protect. The rise of Internet of Things (IoT) solutions is affecting nearly all industries, but the prominence of industrial control systems such as supervisory control and data acquisition (SCADA) networks makes the protection of connected equipment particularly important for energy and utility companies. Because of these considerations, it’s important for organizations in this sector to deploy pen testing techniques developed specifically for their environments.
As the U.S. Energy Department’s National Electric Sector Cybersecurity Organization Resource (NESCOR) recommends, “Penetration testing should be performed on a periodic basis depending on the criticality of the targeted system.” Tests should be conducted at least annually and also should take place following any major upgrades or changes to systems. The testing can target a number of control systems collectively or focus on a single system specifically.
How to Prepare for a Penetration Test
Pen testing in an environment with high-value, connected physical assets requires extensive planning. Energy and utility companies preparing for pen testing should ask themselves a number of questions: What are the goals of pen testing? What are the top threats to the environment? Which key players should be involved, and how should testing activities should be communicated throughout the organization? For energy and utility companies, safety is always a top priority.
As the various tasks of the pen test are completed, testers should document each vulnerability they uncover; common issues include unmanaged devices that are nonsecure and systems that rely on inappropriate trust relationships. Once all of the tasks are completed, the testing team should review all of the vulnerabilities discovered. In some cases, multiple minor vulnerabilities may create an avenue for an attacker to escalate their efforts and exploit a higher-risk vulnerability.
Many organizations lack the necessary skills to conduct an effective pen test, so they engage a third party. This not only provides a comprehensive assessment of the company’s systems but ensures an unbiased look as well. The testers deliver a final report that prioritizes the more serious vulnerabilities uncovered and lays out a plan for mitigating them. Many companies that employ an outside team of testers find that their internal cybersecurity teams leave the engagement with improved skills learned from the third-party experts.