Operational technology (OT), the industrial control systems (ICS) that help keep the power on and water and gas flowing, is becoming more prone to cyberattack. Given that energy and water are essential requirements of society, any potential risk to this critical infrastructure also poses risk to society overall.
As utilities continue to seek greater operational efficiency and effectiveness, they are introducing internet connections to their existing OT networks. This positive convergence will improve performance and streamline ways of working by enabling capabilities such as off-site monitoring and remote maintenance. However, since much OT equipment dates from the 1980s and 1990s, it was developed with little idea it would be part of a connected society and, thus, with little thought to security.
A highly targeted sector
The energy industry is highly targeted for cyberattacks. According to a 2016 survey on cybersecurity challenges in the energy industry by Dimensional Research for Tripwire, not only are attacks on the rise, but “energy organizations are experiencing a disproportionately large increase when compared to other industries.”
Even when a utility’s IT network has sophisticated cyber-defense in place, it is not always a given that connections to the OT network have the same rigors applied. The result: the door is left open to malicious elements.
So what can utilities do to improve their OT and IT security postures? Utilities may be exceeding what’s required from a compliance perspective, but must do more to ensure cybersecurity is “baked in” to everything they do. A fragmented, business-as-usual approach no longer is viable, particularly for missioncritical systems. The high level of preparedness required to mitigate both internal and external threats requires a more holistic approach across the dimensions of people, process, technology and governance.
While utilities have numerous priorities competing for transformation budgets and attention, there is no greater risk to a utility and to citizens than a malicious and wide-spread cyber-attack. The solution is complex, and calls for a clear understanding of the risks that go hand in hand with converging OT and IT. It requires cultural and behavioral change as well as improved control and monitoring of operations. Only a holistic approach across people, process, technology and governance can provide the best defense against cyber breaches, to ensure essential services continue to flow, and employees and communities are kept safe.