Digital transformation is on the rise within the energy sector. Smart grids, smart devices and the Industrial Internet of Things (IIoT) make the energy sector a highly attractive target for cyber-attacks aimed at disrupting operations. At the same time, proprietary legacy technologies plague the energy sector.
While cyber and physical security has already converged, there is a rapid move towards convergence of IT and Operational Technology (OT). Unfortunately, this has resulted in a larger cyber threat footprint and an increase in the vulnerability of critical assets to cyber-attacks.
"Nine in 10 critical infrastructure providers have experienced cyber-attacks that have rendered their systems out of action in the last two years."
Tenable’s Ponemon Institute Survey 2019
The energy sector plays a critical role in the functioning of the modern economy. The consequences of a cyber-attack on this sector could be catastrophic, resulting in disruption of electricity to businesses, industry and community; economic and financial consequences; loss of license; reputational damage; or even loss of life. Managing cyber risk in an interconnected electricity market is critical.
The risk is real
While cyber criminals are looking for financial gains, rogue nation-states are a significant threat to national security, targeting the energy sector and other critical infrastructure for political gain.
“The rate of growth of cyber threats has been exponential — a seven-fold increase in the last two years.”
Kumar Parakala, Global Digital Leader, GHD Digital
The cyber-attack, allegedly by Russian actors, on Ukraine’s power grid in 2015 disrupted supply to more than 230,000 consumers. The petya and wannaCry ransomware attacks in 2017 cost AUD4-8 Billion in damages and loss of operations to large energy, transport, manufacturing and health organisations. Closer to home, the recent breach on the Australian Parliament electoral system by “sophisticated state actors” triggered a special task force to strengthen infrastructure against future attacks.
Governments are concerned
There is no doubt that governments around the globe are concerned about national security. The US federal government has already pledged more than USD11 billion towards improvement to national cybersecurity and security around IIoT.
“The sheer scale and rising likelihood of major cyber-attacks made them the most pressing threat a country like Australia faces. Should a successful, major cyber-attack occur, it can cripple a society.”
Departing head of Australian Cyber Security Centre, Alistair MacGibbon
Buck stops with the board
While governments are starting to invest and facilitate improvements to cybersecurity; CEO’s and Boards of critical infrastructure providers, need to do more and stay ahead of the regulatory requirements. If not, they risk losing trust with their customers, business, industry and government with grave consequences to national security and citizens.
So, what next?
In an environment of both physical and digital connectivity, there will always be vulnerabilities. Mitigating evolving threats and being resilient to breaches are paramount for critical infrastructure protection.
Five areas to consider when managing cyber risk:
- CEO and board ownership:
Leadership buy-in is critical. Cybersecurity must be considered as one of the top risks faced by boards. Governance awareness of cybersecurity risks needs to be driven across the organisation by the board. - Industry and government collaboration: Adopting a common risk framework and sharing of threat intelligence is key to preparing resilience plans.
- Understand your assets: Undertake a comprehensive asset and vulnerability discovery exercise. If you don’t know what assets you have, you will not know what and how to protect them.
- Establish a cyber risk strategy: Adding technologies to secure your environment does not lead to improved security. Assess baseline people, processes, technology, third party risk and physical security to develop a pragmatic risk program. This program must be sponsored by the CEO.
- Security by design: Embed security upfront in all projects. Select technologies that have security built-in rather than offered as a bolt-on down the track.
Where organisations do not have internal skillsets, it is essential to leverage external security experts, ideally those who have a combination of critical infrastructure operations, design and OT cyber risk experience.
GHD Digital can help
With over 90 years of technical expertise in building and protecting infrastructure at a national and global level, GHD Digital has the cybersecurity and SCADA/OT expertise to help solve clients’ problems strategically. We bring clients an ecosystem of specialised technology partners to help protect critical infrastructure by embedding security by design upfront. Our bespoke strategies asses, protect and manage cyber risks for your business.
Meet Sunil
Sunil Sharma, Digital Risk and Cybersecurity Practice Lead assists organisations to set up comprehensive digital risk strategies and execute the successful roll-out of risk controls. With over 25 years of experience in Digital Risk and Security and ITC fields of practice, Sunil has led several consulting engagements across energy, resources, financial and retail.
For more information please visit www.ghd.com/digital or contact Sunil at Sunil.Sharma@ghd.com