The massive cyber-breach of the U.S. Government’s Office of Personnel Management (OPM) systems is the latest in a string of high-profile cyber-attacks in the last couple of years.
Before OPM, media coverage focused on hacks at Sony Corporation, Home Depot, Target and Care First. In between these notable incidents has been comparatively quiet coverage of cyber-attacks at energy firms. For example, the 2012 breach of Saudi Aramco’s network that disabled 30,000 computers, or the 2014 hack of a South Korean nuclear plant operator’s computer system received much less attention. A 2014 article attributed the 2008 explosion of a Turkish pipeline to a cyber-attack, the first documented digital compromise of critical infrastructure.
According to HP Enterprise Security’s 2014 Global Report on the Cost of Cyber Crime, conducted by the Ponemon Institute, energy and utilities suffered the highest average annualized losses from cyber crimes ($13.2 million), closely followed by the finance sector ($12.97 million), dwarfing much-covered media retail and health care sectors.
While general media coverage raises awareness of the digital threat, all cyber-threats aren’t equal.
2 Types of Threats
The energy sector is vulnerable to two types of cyber threats. One is to companies’ information technology (IT) systems that are used for business and administrative purposes. These are the corporate breaches we hear about most often when networks are attacked, office computers compromised or business information is stolen – all certainly devastating to a company and the industry.
Addressing these threats is quite well understood and advanced. Cybersecurity firms such as Symantec, Fire eye, Palantir, Palo Alto networks, Splunk, Fidelis, have tools and solutions to defend and protect IT infrastructure and systems.
Defense contractors such as Lockheed Martin, General Dynamics, BAE Systems also offer extensive technologies and services for designing and managing IT cyber-solutions. Corporate Chief Information Officers (CIO) in the U.S. government and across the industry are well aware of IT cyber security and risk management.
The second type is the threat to the operational technology (OT) such as the sensors, SCADA (supervisory control and data acquisition) systems, software and other controls that operate the pipelines, power plants, and transmission and distribution grids.
Ever since researchers in 2007 demonstrated a digital attack that destroyed a power generator, the cyber-threat to OT has worried the U.S. government. The potential for an adversary to take control of and destroy power plants, oil and gas facilities, chemical plants or water installations poses economic, social and political threats to any nation. Increasingly, there are reports of successful attacks against such critical infrastructure.
Unlike IT systems, it’s early days for solutions to protect OT. Yet, IT systems and OT systems are converging as more operations and communication systems are integrated and functionality is Internet-enabled. Government and industry are racing to secure IT systems and develop practices and technologies to address OT threats.
Protecting OT systems
Cybersecurity wasn’t a threat when most of today’s energy infrastructure was built. Hence protections were never built in to the software, controllers and sensors that operate the valves, pumps and other system components. Retrofitting the existing infrastructure or designing new solutions is not trivial.
Smart grids, digital oil fields, and internet-connected services and functions introduce new complexities, vulnerabilities and access points. Cyber solutions for energy OT systems must function yet not interfere with the workings of the controllers or the energy systems, making them much more complex than those for IT systems.
The U.S. Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability has launched an ambitious and far reaching government-industry partnership to address the cyber security challenge to the electricity grid. According to DOE, “ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services.”
In 2011, DOE published an ambitious “Roadmap to Achieve Energy Delivery Systems Cybersecurity.” Under this plan, “by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber-incident while sustaining critical functions.” Basically, power grids will continue to supply electricity even if attacked.
Large, Growing Market
ABI Research is widely quoted as predicting the oil and gas sector’s cyber-spending to reach $1.87 billion by 2018 as it defends its infrastructure against cyber-attacks. According to PWC’s Global State of Information Security Survey 2015, oil and gas spending for cyber security increased 14% in 2014.
In contrast, PWC found that investment by power utilities in cyber security stalled in 2014. Many of the threats identified are known IT vulnerabilities, and do not directly include the costs of OT cyber-protections. However, because IT vulnerabilities can be gateways to OT controls, these investments are critical.
The size of the cyber-market to protect OT is not yet separately determined. It is not unreasonable that it could dwarf that of the market for IT.
Every major supplier to the power sector is deeply engaged in developing and bringing cyber solutions to market. These include well known publicly-traded names, privately-held firms and non-profits.
For example, Ericsson, Schweitzer Engineering Laboratories and Grid Protection Alliance are developing secure communications solutions that will function between remote access devices and control centers. AREVA has partnered with Northrop Grumman to provide solutions to utility sector. ABB, Emerson, Honeywell, OSIsoft participated in a DOE-sponsored program to test baseline security assessment solutions.
Solutions to integrate physical security with cybersecurity awareness are seen as critical to real-time security state monitoring. Siemens is currently developing a near-real-time solution for this purpose.
Oil and gas majors organized themselves in to the LOGIIC (linking oil and gas industry to improve cybersecurity) program to facilitate cooperative R&D, testing, and evaluation procedures to improve cybersecurity in petroleum industry digital control systems. The Department of Homeland Security, BP, Chevron, Shell, Total are members of LOGIIC. Lockheed Martin is offering the oil and gas sector a full suite of cyber-solutions that takes an integrated approach to both IT and OT.
Energy firms can no longer take an isolated view to physical, IT and OT security. The convergence of IT and OT in the energy sector means the vulnerabilities and potential attack surfaces continue to increase. While the industry races to find solutions, more energy firms are buying cybersecurity insurance.
It’s unclear if these policies will cover losses such as the Turkish pipeline lost to a cyber-attack. The urgency to stay ahead of determined and increasingly sophisticated adversaries means that the global market opportunity to protect critical infrastructure against cyber-threats will continue to grow.