The massive cyber breach of the U.S. Government’s Office of Personnel Management (OPM) systems is the latest in a string of high profile cyber attacks in the last couple of years.
Before OPM, media coverage focused on hacks at Sony Corporation, Home Depot, Target, and Care First. In between these notable incidents has been comparatively-quiet coverage of cyber attacks at energy firms. For example, the 2012 breach of Saudi Aramco’s network that disabled 30,000 computers, or the 2014 hack of a South Korean nuclear plant operator’s computer system received much less attention. A 2014 article attributed the 2008 explosion of a Turkish pipeline to a cyber attack, the first documented digital compromise of critical infrastructure.
According to HP Enterprise Security’s 2014 Global Report on the Cost of Cyber Crime, conducted by the Ponemon Institute, energy and utilities suffered the highest average annualized losses from cyber crimes ($13.2 million), closely followed by the finance sector ($12.97 million); dwarfing much covered - media, retail and health care sectors.
While general media coverage raises awareness of the digital threat, all cyber threats aren’t equal.
Energy sector faces two types of cyber threats
The energy sector is vulnerable to two types of cyber threats. One is to companies’ information technology (IT) systems that are used for business and administrative purposes. These are the corporate breaches we hear about most often when networks are attacked, office computers compromised or business information is stolen – all certainly devastating to a company and the industry. Related: Military Renewable Investment Could See Huge Growth In Coming Years
Addressing these threats is quite well understood and advanced. Cyber security firms such as Symantec, Fire eye, Palantir, Palo Alto networks, Splunk, Fidelis to name a few, have tools and solutions to defend and protect IT infrastructure and systems. Defense contractors such as Lockheed Martin, General Dynamics, BAE Systems also offer extensive technologies and services for designing and managing IT cyber solutions. Corporate Chief Information Officers (CIO) in the U.S. government and across the industry are well aware of IT cyber security and risk management.
The second type is the threat to the operational technology (OT) such as the sensors, SCADA (supervisory control and data acquisition) systems, software and other controls that operate the pipelines, power plants, and transmission and distribution grids.
Ever since researchers in 2007 demonstrated a digital attack that destroyed a power generator, the cyber threat to OT has worried the U.S. government. The potential for an adversary to take control of and destroy power plants, oil and gas facilities, chemical plants or water installations poses economic, social and political threats to any nation. Increasingly, there are reports of successful attacks against such critical infrastructure.
Unlike IT systems, it’s early days for solutions to protect OT. Yet, IT systems and OT systems are converging as more operations and communication systems are integrated and functionality is Internet-enabled. Government and industry are racing to secure IT systems and develop practices and technologies to address OT threats.
Protecting energy sector OT systems from cyber threats
Cyber security wasn’t a threat when most of today’s energy infrastructure was built. Hence protections were never built in to the software, controllers and sensors that operate the valves, pumps and other system components. Retrofitting the existing infrastructure or designing new solutions is not trivial. Smart grids, digital oil fields, and internet-connected services and functions introduce new complexities, vulnerabilities and access points. Cyber solutions for energy OT systems must function yet not interfere with the workings of the controllers or the energy systems, making them much more complex than those for IT systems.
The U.S. Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability has launched an ambitious and far reaching government-industry partnership to address the cyber security challenge to the electricity grid. According to DOE, “ensuring a resilient electric grid is particularly important since it is arguably the most complex and critical infrastructure that other sectors depend upon to deliver essential services.” Related: Greece And Iran Provide One-Two Punch To Oil Prices
In 2011, DOE published an ambitious “Roadmap to achieve Energy Delivery Systems Cybersecurity.” Under this plan, “by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.” Basically, power grids will continue to supply electricity even if attacked.
(Click to enlarge)
A Large and Growing Market
ABI Research is widely quoted as predicting the oil and gas sector’s cyber spending to reach $1.87 billion by 2018 as it defends its infrastructure against cyber attacks. According to PWC’s Global State of Information Security® Survey 2015, oil and gas spending for cyber security increased 14 percent in 2014.
In contrast, PWC found that investment by power utilities in cyber security stalled in 2014. Many of the threats identified are known IT vulnerabilities, and do not directly include the costs of OT cyber protections. However, because IT vulnerabilities can be gateways to OT controls, these investments are critical.
The size of the cyber market to protect OT is not yet separately determined. It is not unreasonable that it could dwarf that of the market for IT.
Every major supplier to the power sector is deeply engaged in developing and bringing cyber solutions to market. These include well known publicly-traded names, privately-held firms and non-profits.
For example, Ericsson, Schweitzer Engineering Laboratories and Grid Protection Alliance are developing secure communications solutions that will function between remote access devices and control centers. AREVA has partnered with Northrop Grumman to provide solutions to utility sector. ABB, Emerson, Honeywell, OSIsoft participated in a DOE-sponsored program to test baseline security assessment solutions.
Solutions to integrate cyber and physical security situational awareness are seen as critical to real-time security state monitoring. Siemens is currently developing a near-real-time solution for this purpose.
Oil and gas majors organized themselves in to the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program to facilitate cooperative R&D, testing, and evaluation procedures to improve cybersecurity in petroleum industry digital control systems. Department of Homeland Security, BP, Chevron, Shell, Total are members of LOGIIC. Lockheed Martin is offering the oil and gas sector a full suite of cyber solutions that takes an integrated approach to both IT and OT. These are just a few examples.
Energy firms can no longer take an isolated view to physical, IT and OT security. The convergence of IT and OT in the energy sector means the vulnerabilities and potential attack surfaces continue to increase. While the industry races to find solutions, more energy firms are buying cyber security insurance. It’s unclear if these policies will cover losses such as the Turkish pipeline lost to a cyber attack. The urgency to stay ahead of determined and increasingly sophisticated adversaries means that the global market opportunity to protect critical infrastructure against cyber threats will continue to grow.
By Ronke Luke of Oilprice.com
More Top Reads From Oilprice.com:
- Petrobras Scandal May Force Dramatic Policy Changes In Brazil
- Don’t Panic, Nothing Has Really Changed In The Oil Markets
- Not Deterred By Huge Risks, Shell Opts For Megaprojects