Energy companies are at risk from cyber attacks, says Atif Kureishy, Booz Allen Hamilton
Is cyber security a growing concern for utilities worldwide and if so why?
Absolutely. Over the last few years we have seen the growing threat of cyber security attacks affect almost all industrial sectors, but the energy and oil and gas industries have been particularly targeted.
While the advances in industrial automation and control systems together with the integration between the factory floor and corporate systems have optimised processes and decreased operating costs, these developments have also opened up critical infrastructure to new vulnerabilities. The sophistication of advanced, persistent threats cannot be underestimated. Often, compromised systems can go undetected for up to two years or more.
What particular threats do utilities in the Middle East face?
The security threat is a global challenge meaning utilities in the Middle East face much the same threat as utility companies in the rest of the world, although social and political factors here may have an effect of increased state terrorism and hacktivism. What’s clear is that the impacts from an attack in this region are broad, from web defacements and production outages to damage to human life and the environment. Furthermore, the region’s desire for smart services, smart cities and smart grids will also increase the threat of cyber attacks.
Does the shift from centralised to more distributed power raise or diminish these concerns?
The deployment of renewable sources of energy goes hand in hand with the development of smart grids, which will change the way utilities operate altogether. Smart grids will offer greater resilience and distribution efficiency as well as creating ‘prosumers’ – or energy consumers that feed excess power back into the grid. This evolution in power distribution will rely heavily on information technology at every level of the smart grid infrastructure, from generation to transmission and distribution.
This means that industrial cyber security measures must be considered in all of these areas, and not only at the level of the advanced metering infrastructure (AMI) on the consumer side where cyber threats are typically detected. This is in turn compounded by the anticipated impact from smart home devices and the Internet of Things, all of which means the cyber security of energy infrastructure is paramount and requires management at every level.
How has the cyber security industry responded to this growing threat?
The response has been relatively slow. That said, in recent months many global cyber security companies have introduced industrial cyber security to their portfolio of services. Similarly, other companies more related to industrial sectors such as industrial vendors and EPC companies have started to hire specialists in industrial cyber security in order to provide a competitive advantage.
What is critical is to look at the solutions required by the automation system owner rather than the solutions marketed by the automation vendor. Such an approach would effectively avoid eventual incompatibility conflicts between vendor specific solutions. This process requires the services of an industrial cyber security advisor consultancy to build integrated cyber security infrastructures that can be operated throughout the plant’s typical operational lifetime.
What do companies need to do to safeguard against these threats?
Take action. Cyber security is a discussion that should be happening at board level and every corporate role should involve an element of security responsibility. As mentioned, seek the services of a trusted and reputed cyber consultant who can help build, operate and transfer security expertise to a local workforce. What’s key, is to address the issue holistically. Technology, people, processes and governance all have a role to play.