Targeting the Energy Sector

When we think about critical infrastructures, we tend to think about energy. Whether electric power lines or supplies to oil and gas, cut off access to energy, and our worlds go dark. Though you can certainly argue that other industries are just as critical—pharmaceuticals, food supply and others—it is the energy sector that seems to be most aware of the need to secure its underlying infrastructure.

It is also the sector that is most likely to come under attack from nation state threats, according to Barak Perelman, co-founder and CEO of cybersecurity company Indegy. “When thinking about critical infrastructure, you and I think of energy,” he says. “The same thing goes for the adversaries. They’re targeting the energy sector.”

The right direction

The cybersecurity trend is positive in the energy sector, but still a bit too slow, Perelman says. “Compared to the financial sector, 10 years ago, they started being hacked more and more. In a year or two, they started building all the walls and protection measures,” he describes. “Five years from now, the energy sector will be well protected. Many of the stakeholders are trying to push the inevitable. We can have everything set up a year or two from now. Unfortunately, it will be more like five years from now.”

It’s not for a lack of available technology in the marketplace, Perelman insists. Budget is often a problem—sometimes no margins to work with, and every dollar meticulously calculated, he says. Also, it’s often the small cybersecurity companies with the cutting-edge technologies, but end users can be reluctant to work with small companies.

Indegy, for one, has been trying to gain more visibility in the market, and has been putting more emphasis on working with large partners—promising announcements in the coming months about collaborations with giants in the sector.

The company was founded with a strong understanding of how industrial control systems operate as well as cybersecurity. Its founders were all part of the Israeli Defense Force (IDF) previously, and understand the physical as well as psychological ramifications of cyber attacks targeting the energy sector.

Help from IT

A key development that Perelman has seen over the past three or four years is that more and more IT executives for end users—refineries, midstream and upstream oil and gas operations, power generation—are seeing the need to protect the operations side. He comments, “Three years ago, there was a lot of confusion: Should we protect that? Who should be responsible? Facilities? IT people?”

But as those questions shake out, it’s typically from the board level that the requirements come to provide security for the industrial environment. “It’s the board putting that on the agenda in the energy sector,” Perelman says. “And when the board puts it on the agenda, they prefer to have the CIO or CISO lead that practice.”

That’s why, while the Offshore Technology Conference (OTC) was going on last month at NRG Park in Houston, Perelman was scheduled to speak across town at the CIO Energy Summit. IT leaders at manufacturing companies need to learn what’s required when it comes to protecting the industrial control systems (ICS). “In the past 10 years, he’s only been dealing with IT systems. Now he has to protect all these new components that he’s not familiar with,” Perelman says.

True, there are plenty of facility engineers who don’t want the IT folks anywhere near their equipment. But some things are turning around in that respect. “The engineers understand that eventually they’re making their own job harder by keeping IT out. If they do get the ticket of dealing with security, it’s just another thing on the table that keeps them from doing their day jobs,” Perelman says. “The engineers are happy with it. They can’t blame engineers if something happens. It’s in our nature.”

Some organizations are taking an approach in which a new group is created under the CISO to deal with ICS security, Perelman says. “They took engineers from the refinery sector, pipelines, oil rigs, and trained them in security and best practices in that area. Now a year later, that group has 20 years of engineering background, but understands security as well,” he says, adding that this tends to be the most successful route. “With everything that’s going on in the cyber realm, it’s still easier to be taught cybersecurity practices than engineering practices.”

Everybody else

But getting back to the argument that other industries could be considered just as critical as the energy sector… There are a few important factors to ponder before you decide that your operations aren’t critical enough for attack.

First, other manufacturing industries use pretty similar underlying systems—with the same types of controls from the same big automation suppliers. So a bad actor might have a particular target in mind, but think nothing of whoever else he catches in his net. “He might want to target oil and gas refineries. But if the attack is designed to shut down any Honeywell or Siemens system they see, non-critical systems will be hurt just the same,” Perelman says. “They can be collateral damage even if they’re not the target specifically.”

Second, as noted earlier, you could argue that other industries are just as critical as energy. “When you look at food and beverage manufacturing, you can hardly say that these are not critical,” Perelman says. “Attacking a dairy producer is just as risky as attacking a grid line. The way that they produce milk, very simple changes can make milk toxic. It’s very, very frightening, and definitely should be also under the umbrella of critical infrastructure.”

Finally, as we’ve heard repeatedly, the attack from within is actually more likely than the attack from without—whether because of a disgruntled employee or just a negligent one. “They’re cyber incidents, not just cyber attacks,” Perelman emphasizes “It doesn’t matter if you think you’re a target or not; you need to deal with security.”