In the final article of Information Age’s three part series on cyber security in the energy sector, we look at how energy companies can best roll out a cyber security strategy, and the importance of doing so in the retention of customers.
This series has taken an extensive look – with the help of Scott King, Senior Director, Security Advisory Services for Rapid7, Andrew Tsonchev, Director of Technology for Darktrace Industrial and Martin Sloan, Group Head of Security at Drax – at how the energy sector should combat the growing threats posed by cyber attacks and the importance of doing so.
In the first of this three part series on cyber security in the energy sector, we looked at the dangers posed by an increasing number of attacks on critical infrastructure in recent years. The repercussions are significant, and potentially catastrophic to both business and society.
Part 1 established that as the energy sector becomes more digitised, the need to evolve cyber security practice becomes more of a priority. The experts maintained that cyber security has improved, although – as with any industry – there is room for improvement. It also became clear that new technologies, such as artificial intelligence, could be introduced to help improve cyber security in the energy sector.
>Read more on Cyber security best practice
The second part of this series looked at what cyber security solutions and best practices are most effective in protecting the industry, with case studies from Drax and Darktrace Industrial surrounding the integration of artificial intelligence.
It was also noted that the leadership of a CTO is a crucial in an effective cyber security strategy. It will differ depending on the company, its size and culture, but generally speaking the CTO should lead a team with a CISO, CSO or equivalent.
Opportunity leads to threats
The increased convergence between IT and operational technology systems provides transformational opportunities for industrial organisations.
In the energy sector, “digitisation, increased connectivity and IoT devices can cut costs, increase efficiency and improve quality of service,” explains Sloan. “However, as IT and OT systems become intertwined and digital connectivity spreads, networks also become larger and more exposed to cyber threat.”
>Read more on Cyber security training
“Understandably, many in the industry are wary of these innovations. Managing critical services requires a calculated approach to risk. Organisations that benefit from the enhanced security and visibility of AI for cyber defence are able to embrace new technologies, whilst keeping their infrastructure and customer data safe.”
Rolling out a cyber security strategy
Energy and utility companies know the importance of an effective cyber security strategy. One that not only protects their customer’s data, but also the critical infrastructure that they maintain.
But, how best to roll out an effective cyber security strategy in the energy sector?
“Start with the governance component and the core recovery activities,” explains King. “Prepare for the basics such as cyber incident response and move into vulnerability management. Equally important is creating strong internal partnerships with emergency services organisations, physical security teams, internal audit, general counsel, communications and customer teams.”
>Read more on Who is responsible for cyber security in the enterprise
“Make sure to have an executive stakeholder that can shape/influence the Information and Operation Technology strategies, and roadmaps/plan when needed.”
It is true that security design and policy should be rigorously implemented into the framework of an organisation, “as well as effective preventative measures, such as firewalls and sandboxes, to minimise the risk of an attack,” according to Tsonchev.
>Read more on A guide to cyber attacks
Eventually, however, “all those rules and policies harm the agility of the business, because they hinder people’s ability to experiment,” continues Tsonchev.
“And while protecting your network at the border is essential cyber hygiene, some attacks will make it through. That means an equally important counterpart to these strategies is having the capacity to continuously monitor network activity, to learn what is normal for your organisation. This will allow organisations to proactively defend against cyber attacks when they are in progress.”
Cyber security is no longer an IT issue, and business leaders now realise this. If an organisation is breached and found to not have adequate defences in place, it will lose money, reputation and ultimately, customers.
“If your organisation suffers a DDoS attack and you are unable to provide your customers with your product or service, your customers will remember that,” confirms Tsonchev. “When cyber security is done right, it is not just about preventing harm and minimising risk, it is about delivering a higher quality product and a more reliable service.”
Inevitably a poor cyber security strategy will harm a business. However, in the utility industry it is not just about competition.
It is more a question “of whether a chain reaction could occur from a cyber nexus that had a cascading impact between utilities,” explains King. “The answer to that question is complex and lies in capacity planning and load management, performed by an independent system operator.”
This concludes Information Age’s Cyber Security in the Energy Sector series. I would like to thank Scott King from Rapid7, Andrew Tsonchev, Director of Technology at Darktrace Industrial and Martin Sloan from Drax – for their insights that helped deliver this series