What also unites these sectors (power, oil and gas, and renewables) is that they are critical infrastructure. 24-hour availability is paramount, and any disruption will affect people’s daily lives.
As they struggled to protect physical assets from harm from tangible sources, organizations failed to realize how quickly industries had moved into an era where disruption, whether physical or digital, could also occur through Cyber.
This is where it gets complicated. What is not tangible cannot be understood, and threat actors want to capitalize on that. What is more worrying is that the attacks have reached physical assets (Industrial Control Systems/SCADA).
On April 13, 2022, in the US, a joint advice was published by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) that brings to light a new set of tools cyber APT, known as PIPEDREAM/INCONTROLLER, which can exploit vulnerabilities in a wide range of ICS/SCADA devices and can help perpetrators take full control of systems. The advisory urges immediate action to enforce multi-factor authentication, strong (frequently changed) unique passwords, and ongoing monitoring of the OT environment. This notice has a strong focus on energy companies.
In another later development, the US DoE announced funding of USD 12Mn in research projects at six different universities, aimed at developing power supply systems that are cyber-resistant by design.
Meanwhile, what is happening in the energy sector in India?
Positives first: In 2021, the Indian government launched cybersecurity guidelines for the electricity sector. Requires the CISO to report abnormal occurrences caused by sabotage to critical systems within 24 hours of the occurrence. Requires a cyber incident response and crisis management plan. It outlines the following standards, such as IEC 62443, and the board’s quarterly review of cybersecurity issues, among many others.
Further away, in april 2022Amid a report highlighting state-sponsored attacks on the Indian power grid, the Union minister clarified that they were able to block such probe attempts because they had beefed up cyber defenses.
However, the global environment is changing rapidly, especially with various geopolitical tensions. Recently, the US loaded certain state-sponsored hackers for allegedly targeting the energy sector (oil and gas plants, nuclear power plants, power and utilities) in the US and 135 countries and planting malware that can cause further damage, including the malware installed in the security system of an oil refinery.
Address OT security
To reach the next level of agility, efficiency and growth in these sectors, digital transformation is essential. Without transformation, there is the fear of becoming obsolete. With the transformation, there is the fear of unknown threats. How should organizations respond to these stuck situations, especially when it comes to operational technologies?
In our latest thought article ‘Reimagine OT cybersecurity strategy‘, we talked about why OT cybersecurity requires reinvention amidst an ever-changing digital and threat landscape, and how businesses must deal with that change.
Things are rapidly changing from downtime or ransom demand to target systems with malicious intent to cause damage and financial loss. As a first step, it is important to realize the urgency of re-evaluating the OT security strategy.
Increasing digital transformation and IT-OT convergence also allow malware to move laterally into the OT network, in the absence of proper network segmentation and controls. Does that mean OT systems that have air gaps are safe? There have also been cases of malware being accidentally introduced by a third party into an air-gapped OT system.
One of the biggest challenges with OT systems is the use of legacy software, which can be easily exploited. To top it off, upgrading these systems is also challenging and cumbersome.
While legacy systems need to be upgraded or phased out, some things organizations can immediately prioritize for OT cybersecurity include a comprehensive risk assessment, complete asset inventory, network segmentation, secure remote access, backup of OT and IT data and monitoring. for any security incidents and threats.
It is important for organizations with OT systems to establish frameworks and controls as prescribed by standards such as IEC 62443 (Cyber Security for Industrial Control Systems). It is also important to have a cyber resilience and crisis management plan in place that is regularly reviewed and tested. At the heart of OT’s security strategy is awareness and education of people (both within the organization and in the partner network). State-sponsored groups rely on phishing (targeted attack) and watering hole (in which the most frequently visited websites are infected) fishing techniques. Cyber awareness is extremely important here. Any digital initiative or third-party collaboration must keep cybersecurity at its core.
On a broader level, the greatest need of the moment is collaboration and sharing of threat intelligence. In today’s digital world that makes sovereign borders porous, the cyber resilience of the energy sector is a matter of national security and protection. So as organizations put security controls, processes, and management in place; only through a concerted effort among stakeholders can we better respond, stay resilient, and stay ahead of attackers.
I believe that the energy sector will be shaped by Industry 4.0 and frontier technologies, and the cyber threats and risks that Operational Technologies are exposed to in this process must be well assessed and addressed, so that they do not become an impediment to the increase.
[This piece was authored exclusively for the ETEnergyworld by Mr. Santosh Jinugu, Executive Director, Deloitte India. Views expressed are personal]