The energy sector is currently undergoing an exciting period of expansion and evolution. However, as the sector works to increase operations, streamline processes, and adopt eco-friendly alternative energy sources, there is also a struggle to adequately safeguard against bad actors looking to take advantage of emerging technologies and the rapidly growing attack surface. The recent hacking operation known as “Volt Typhoon,” in which a Chinese government backed a group of cybercriminals that attacked critical infrastructure in the water and electric sectors serves as a sobering example of how real these threats are. The goal of these hackers, according to FBI Director Chris Wray, was to "wreak havoc and cause real-world harm to American citizens and communities."
Understanding Cybersecurity Threats in the Energy Sector
Organizations within the energy sector face unique challenges in ensuring their defense against malicious actors. Whereas most industries are mainly concerned with providing enterprise security against those looking to exploit them for financial gain or espionage, cybersecurity teams in the energy sector must also contend with ethically opposed hacktivists and nation-states looking to cripple infrastructure for militaristic purposes. Thus, it is of the utmost importance to ensure the integrity of the energy industry.
The most common route of access is not through larger corporations in the energy sector but through the myriad of vendors, product developers, and service providers that they contract with. In an effort to increase efficiency and utilize the ever-changing technology surrounding alternative forms of supply, energy companies are increasingly turning towards digitization via Industrial Internet of Things (IIoT) devices created by these partners. By increasing the number of digital access points and adopting rapidly developing new technologies, the attack surface can often outpace the security protocols designed to ensure infrastructural integrity.
According to Dawn Cappelli, Director of OT-Cert at Dragos, it is imperative that corporations have a comprehensive strategy for managing third-party risk in their industrial environments, especially in three specific areas. “They should require their OEMs to have a product security program, including a formal secure software development life cycle and Product Security Incident Response Team; ensure their critical suppliers, partners, and service providers, no matter how large or small, have a cybersecurity program – both in IT and OT; and have formal procedures for third parties to access and transfer files in their OT (Operational Technology).”
Security Risks of Cloud Computing
While cloud computing inherently offers many advantages in terms of data security, it notably increases opportunities to exploit the human factor. Cloud computing provides convenient data storage, secure end-to-end encryption, and also ensures that data is located in more than one location, which negates threats such as ransomware attacks. However, this convenience comes at the cost of increased susceptibility to social engineering attacks, which are the most common form of attacks and simple negligence, such as forgetting to log out of an unsecured device. “Ultimately, building a cybersecurity culture, which includes effective awareness-raising and enables positive security behaviors, is fundamental to mitigating social engineering risks,” said Dr. Jessica Barker, Co-CEO, Cygenta.
In order to effectively defend against these approaches, cybersecurity teams need to be constantly innovative while leveraging proven strategies such as adopting a zero-trust policy that ensures those gaining access to a system are effectively verified, regardless of the location or device they are using to gain access. “Helping people understand where the threats lie and what they can do to ward off the dangers is crucial, as is empowering people to practice positive security practices by reducing friction and providing clear, actionable guidance and support,” Barker added. It is also important to employ virtual private networks (VPNs) and multi-factor authentication (MFA) to ensure the security of cloud data.
Cybersecurity Compliance Checklist
In an effort to provide greater transparency, the Securities and Exchange Commission (SEC) has adopted several new policies in regard to cybersecurity reporting. These policies, which went into effect December 15, 2023, will help to ensure that reporting is done in a more consistent manner. Publicly held companies must adhere to these regulations to ensure compliance.
-
As part of these new regulations, organizations must file a Form 8-K (most often within four days) detailing the depth and timing of any cybersecurity incidents as well as their effects.
-
Form 10-K will serve as an annual report detailing the registrant’s procedures for identifying and mitigating cybersecurity risks, the potential effects suffered from a penetrating attack, and the preparedness of management in identifying and managing these threats.
-
Foreign private issuers must also comply with these new regulations using Form 6-K to report cyber security incidents and Form 20-F to outline their risk management policies.
Collaborative Cybersecurity Initiatives
It is not enough for organizations within the energy sector to look to their own cybersecurity and hope that others do the same. It is only through shared intelligence between the various sectors of the industry that those tasked with providing cybersecurity can be expected to develop an accurate understanding of the threat landscape. With enough data, security teams can begin to recognize patterns and trends, and develop appropriate proactive approaches to minimizing these threats. By sharing this information across the industry, smaller companies with less substantial cybersecurity teams will be better able to defend themselves and ensure that the energy sector is more adequately protected as a collective whole.
In addition to adequately ensuring cybersecurity, it is also essential that those in the energy industry have a plan in place to quickly recover in the event of a sustained cyberattack. Through planning and preparing for this reality, the industry can be truly resilient and recover quickly with minimal interruption. Given the importance of the energy sector, it is vital that if they suffer an attack with any real impact, they are able to resume services as fast as possible.