“Like most heavy industries and critical infrastructures, the energy sector is being actively targeted by an array of bad actors,” says Jon Stanford, global principal for industrial security and IoT solutions at Cisco. These actors, he explains, range from low-grade hackers to advanced hostile nation-states.
Stanford understands the risks firsthand from more than 16 years working in the operational technology (OT) security space. Prior to joining Cisco, he held leadership roles in Big 4 consulting, law enforcement, utilities, and at the federal and local government level.
“A day doesn’t go by in which some form of malware exploit doesn’t make the news,” he notes. At the same time, Stanford warns that a lot of reports about computer vulnerabilities are over-hyped noise or actual events that have been taken out of context. “The threats are real for sure, but they don’t necessarily apply equally across the board.”
With that in mind, we caught up with Stanford to find out which computer threats corporate energy managers do face, and the steps they can take to realize security benefits in the near-term.
What are the biggest security threats to corporate energy management?
Bad actors seek to gain unauthorized access to an organization’s computing environment or deploy some form of malware, or both. A huge threat is malware, which, once introduced, will either propagate by being hand-carried from system to system or via network communications.
Threat actors have varying motivations and capabilities. It’s important to know and understand what threats apply specifically to an organization. For example, so-called insider threats apply to pretty much every organization, and stem from trusted parties like employees, contractors, or partners.
Not all organizations are the targets of nation-states, yet you’d be surprised at how many focus on this threat agent with little credible information that it actually applies. This can lead to prioritizing scarce resources and protective measures in the wrong area.
Which steps should energy managers take to protect against vulnerabilities?
The key for energy managers is understanding to what degree existing system and network vulnerabilities can be exploited, and the potential consequences. Not every software bug can be fixed, nor can every vulnerable system be patched. Achieving perfectly secure systems is a dead end.
These simple steps can provide a lot of near-term security benefits:
Do you have real-life examples?
Over the years, I’ve led dozens of on-the-ground vulnerability assessments in all kinds of industrial environments. In every case, undocumented or unauthorized network connections existed between an organization’s enterprise IT environment and their OT environment. And in every case, the organization’s management was shocked to learn this.
Sometimes temporary network drops were put in place during equipment upgrades that were forgotten and abandoned, which left critical environments exposed externally months or even years later. These mission-critical OT environments lacked effective, tailored network security monitoring mechanisms to detect the introduction or movement of advanced malware.
In some cases, firewalls between IT and OT were either outright abandoned due to lack of clear ownership, or were poorly managed, which in both instances created unnecessary weaknesses in the perimeter protecting mission-critical functions.
Are there common mistakes that corporate leaders and energy managers make as they’re pursuing the steps you outlined?
I’ve spoken with dozens of industrial chief information officers and chief information security officers globally regarding their overall security programs. With very few exceptions, they have a low level of confidence in their organization’s ability to deter, respond, and recover from a significant cyber incident. Most have only undertaken basic steps toward unifying their approaches to IT and OT security. Bridging that real or perceived cultural divide is foundational.
When it comes to securing OT environments, one mistake I’ve seen too often is neglecting to put security into a proper context. This means ensuring that potential operational risks and effects correlate to the care-abouts of OT and the terminology that they use and understand in their daily work.
An example would be to show how the compromise of a human-machine interface that resulted from exploitation of a vulnerable application would result in a loss-of-control event or a loss-of-view event. These types of events are things that OT operators and engineers understand, and already factor into their design or operating models. The proper context will help gain buy-in and identify quick wins for an effective IT-OT security partnership.
Anything else?
Internal organizational silos and cultural differences can derail even the most well planned security program. There is a strong case to be made for harmonizing or even converging an industrial organization’s physical security and cyber security programs.
What does the future of corporate energy security look like?
The corporate energy sector will likely see increased attacks in the future as threat actors continue to advance their exploit methods and research vulnerabilities. It will be important to invest in security proactively, but at the same time understand which threats to the organization actually apply.
The same vulnerabilities that exist in two separate organizations don’t necessarily equate to the same risk, either. Understanding this can help ensure that each organization’s security investments are funded and prioritized appropriately.
Don’t underestimate the effectiveness of identifying ways to provide an immediate reduction of operational risk while creating positive momentum for further security investment. It’s important to achieve results in the short-term, celebrate even small successes, and commit to a path of continual improvement.