Cybersecurity attacks can strike where you least expect them. Would you expect the energy sector to be a target? The U.S. Office of Cybersecurity, Energy Security, and Emergency Response (CESER) states, “In today’s highly interconnected world, reliable energy delivery requires cyber-resilient energy delivery systems. In fact, the nation’s security, economic prosperity, and the well-being our citizens depends on reliable energy infrastructure.” The energy sector literally powers any city; it is the most critical infrastructure that we can protect and support.
The Need for Effective Cybersecurity Strategies
As cities depend on energy and as energy sources become more reliant on technology and data, more vulnerabilities appear. The U.S. hasn’t seen a widespread power outage from a cyberattack yet, but that doesn’t mean these types of attacks haven’t been attempted. The threat of state-sponsored hacks and attacks on U.S. energy sources is becoming more real every day. In 2016, an anonymous water treatment plant was hacked through phishing and SQL injection, leading to chemical changes in tap water. In 2018, the DHS linked Russia to the ongoing hacking of U.S. power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
At a federal level, effective cybersecurity strategies within the energy sector is a high priority mission with many people behind the fight. The CESER, the Department of Energy (DOE), the Department of Homeland Security (DHS), the Cybersecurity Risk Information Sharing Program (CRISP), the Executive Branch, and so many others are developing and implementing cybersecurity strategies to support reliable energy delivery.
Key Cybersecurity Challenges in the Energy Sector
Appendix I of the DOE Cybersecurity Strategy says that cybersecurity preparedness, incident response and recovery, and a lack of resilient systems are the main cybersecurity challenges facing the energy sector. These challenges fall in line with the President’s agenda to implement modern information technology, create data, accountability, and transparency initiatives within the energy sector, and build a workforce that’s agile enough for the 21st century.
1. Cybersecurity Preparedness
Preparedness requires proactive efforts, which many organizations in the energy sector can struggle with. How do you prepare for evolving, complex cyber threats while the attack surface continuously grows? Who has the expertise to perform an effective, formal risk assessment? How do you exchange data while also meeting security and privacy requirements of that data? How do you effectively and widely exchange the data you’ve collected?
2. Incident Response and Recovery
Organizations across all industries struggle with incident response and recovery. Because energy sources cross over so many geographic areas and involve so much personnel, it makes response and recovery incredibly difficult. Policies and procedures must be effective, yet flexible enough to adapt to the ever-changing threat landscape. Not only is performing incident response and recovery activities difficult, but proactively testing them to ensure they will work is also difficult when you’re dealing with widespread energy sources.
3. Resilient Systems
Energy sources require technology, but this can range from legacy systems to devices provided by third parties to the supply chain. Any piece of technology use in energy delivery must be secure and adapt enough for future technology. To manage and defend this technology, we need a talented cybersecurity workforce. The lack of cybersecurity professionals today creates a real challenge for a sector as important as energy.
Goals of Cybersecurity Strategies in the Energy Sector
The DOE Cybersecurity Strategy follows the guidance of 34 documents, where you’ll see some familiar frameworks and concepts. FISMA, NIST Framework for Improving Critical Infrastructure, and NIST Risk Management Framework play roles in the guidance, as well as DHS strategies, Executive Orders, DOE strategies on sustainable energy delivery, and more. Although the energy sector faces many cybersecurity challenges, the goals of cybersecurity strategies remains the same for all providers of energy delivery:
- Deliver high-quality, reliable services
- Continually improve your cybersecurity posture
- Take action to put a focus on your consumers
- Use taxpayer dollars effectively
As a provider of energy sources, your organization must accept the responsibility of implementing effective cybersecurity strategies. By doing so, you will protect your city, consumers, and business partners. Is your organization in the energy sector looking to improve your cybersecurity posture? Are you meeting the security, privacy, and cybersecurity obligations expected of you? Contact us today to ensure you can deliver secure and reliable energy services.