National Critical Infrastructure Security and Resilience Month
November is National Critical Infrastructure Security and Resilience Month, and there is no better time to highlight the importance of keeping one of our nation’s most critical infrastructures secure: the energy sector.
Though we often take it for granted, our way of life depends on the security and stability of our nation’s energy industry. Recent reports of cyberattacks on energy infrastructure around the world, including Ukraine’s grid and a nuclear power plant in Germany, underscore the risk our energy sector faces: breaches could lead to not just stolen data, but to physical damage.
Our U.S. energy infrastructure is at a particularly perilous point. On one hand, the bulk of our grid still relies on antiquated technologies. The American Society of Civil Engineers has reported that 70 percent of our nation’s transmission lines are more than 25 years old. On the other, technology is transforming how the entire energy sector operates. Energy devices in our homes and buildings, power plant controls and the systems that manage oil and gas pipelines are increasingly connected to the Internet — often without the necessary security measures to secure and manage them. More than 89,000 industrial control systems are publicly accessible online, many of which have minimal security controls. Because of the interconnected nature of the energy sector and the viral speed of social media, crippling just one of these systems could cause public panic and raise concerns about the resilience of the electric grid.
Key to reducing risk
Key to reducing this risk lies in the collaboration between energy companies and government organizations extending beyond North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) boundaries. Fortunately, we’re seeing signs from across the industry that they’re taking the necessary steps for increased international collaboration.
Eight major international energy companies, including Shell and Norwegian Statoil, have teamed up with the industry’s certification body DNV GL to create sector-specific cybersecurity guidelines. Specifically, they will create a recommended practice for industrial automation and control systems, which could turn into an industry standard within a year. This collaboration is a good sign for the industry, and I encourage more companies to get involved in this effort.
However, to truly improve cybersecurity, there needs to be a broader cultural shift within energy companies — and that shift needs to start in the boardroom. Board members and CEOs must understand their cyber risk and what they can do to mitigate it. Some initial signs indicate this is happening. A recent report from the World Energy Council, The Road to Resilience – Managing Cyber Risk, says that energy companies increasingly recognize cyberattacks as a core threat to their business.
While this cultural shift should start within an organization, again, businesses and the government can do much to reduce their cyber risk by sharing threat information with each other. Many attacks could be prevented if businesses (and government agencies) had guidelines on exactly what information they should share and with whom they should share this information. However, businesses often fear legal action will be taken against them if they report a breach; or worse, businesses are incapable of taking actions with the information or indicators provided due to aged infrastructure and tools. This is an issue that the next Administration should address to foster increased public-private sector collaboration.
We stand at a critical point in time, where our grid is rapidly changing and more Internet-connected energy devices will be coming online. Meanwhile, the oil and gas industries are expected to spend $1.87 billion on cybersecurity annually by 2018—a sign that they are taking the threat seriously. But spending is not the ultimate answer. Instead, a combination of collaboration and a shift in our culture to commit to upgrading antiquated technology will do far more to improve our security.
About the Author: In his role as Director of Security at Tanium, Andre McGregor is focused on cybersecurity. He possesses deep knowledge of criminal and counterintelligence cyber-techniques used to attack U.S. computer networks and infrastructure. Prior to joining Tanium, Andre served as an FBI Cyber Special Agent in New York City, later promoted to Supervisory Special Agent at FBI Headquarters. At the FBI, McGregor was the senior technical agent and the lead incident responder for several large-scale computer intrusions. Additionally, he served as both the FBI Cyber Liaison to the United Nations and FBI Cyber Liaison to DHS US-CERT and ICS-CERT. Before the FBI, McGregor went to Brown University, started his career at Goldman Sachs and then later as IT Director at Advogent (Cardinal Health) over all IT operations nationwide. In his free time, Andre is also the FBI and technical consultant for Mr. Robot.