WGC 2018: Energy sector accused of sleepwalking on cybersecurity
Security experts say industry is leaving the door open for hackers targeting mission-critical infrastructure
Energy firms are overlooking serious cybersecurity threats to critical infrastructure due to cost-cutting measures and lax standards, according to industry experts.
Speaking at World Gas Conference 2018, David Blanco, SCADA security director at software firm Autosol, said cybersecurity compliance is so poor that he expected it could take "an event where lives are lost for any regulation to be introduced" and adopted, to spur the industry into action.
While not caused directly by a cyber attack, he pointed to the deadly San Bruno pipeline explosion of 2010 as an example of such an event.
"Safety regulations are followed like a religion, but cybersecurity standards are voluntary and just aren't followed or enforced", said Blanco. "It is all about avoiding adding cents to the barrel. There won't really be cybersecurity in the industry without some big government intervention, but this won't happen without some cyber 9/11 occurring."
Schneider Electric SE said in January that hackers had exploited a flaw in its technology, in a watershed incident that halted operations at an undisclosed industrial facility. AP Moller-Maersk A/S, the container ship giant, last year reported a loss of roughly $300m related to a cyber attack on its operation.
KPMG director Deborah Watson echoed concerns over the impact of cost-cutting on cybersecurity standards.
"There are organisations that have compliance and those that don't - those that do not generally don't do anything. There is a lack of documentation, so no repeatability. It relies on tribal knowledge especially on the operational technology side of things. The push to cut costs mean there is no time to do anything," said Watson.
Jennifer Silk, senior advisor, office of the secretary at the US Department of Energy, said phishing and "spear phishing" - an email spoofing attack ostensibly from a known or trusted sender - were the top cybersecurity risks facing energy firms' infrastructure, while noting that companies could introduce more training to reduce the risks.
"It is challenging, if not impossible to challenging, to keep attackers out 100% of the time", said Silk, adding that employees will too often inadvertently click on emails that may harbor dangerous viruses such as Stuxnet, the malicious computer worm that was designed to target Iran's nuclear facilities.
Watson also added that employees were the "last line of defence", yet companies continue to look towards technical solutions instead of training. "The percentage spent on phishing is lower in every company I know … working together is the only way to address this, and understanding - not denying - the problem is the important first step."
However, not everyone in the industry is pessimistic about energy's future approach to on cyber threats.
Muqsit Ashraf, managing director of energy at Accenture, told Petroleum Economist that as the industry increasingly shifts towards a more consumer-centric model, firms will have a stronger motivation to shore up cyber defence systems. "There will be billions of connected devices and utilities and energy companies will have access to much more personal data," he said.
Ashraf said that digitisation and the increasingly inter-connected nature of the industry has driven a stronger focus on cybersecurity in the past 12 months.