Reducing risk by increasing visibility
During a panel discussion at the Atlantic Council's "The State of OT Cybersecurity in the Utilities Industry" event, several industry leaders gave their input on the energy industry's current security posture.
Dante Martins, the cybersecurity director of Critical Infrastructure and Industrial Control Systems at AES Corporation, noted that OT environments have been developed for a long time with limited visibility, and digitization of these systems is proceeding despite the lack of visibility, which has drastically increased the risk surface.
Leo Simonovich, Vice President of Global Industrial Cyber & Digital Security at Siemens, observed that traditionally OT has been concerned about reliability, availability, and safety, while IT has focused on data integrity and confidentiality. As OT and IT converge into what some call the "industrial Internet-of-things," those goals become tied together and the lines between them begin to blur.
Simonovich added that "the frequency of attacks targeting the production of electricity...has increased exponentially." The same day as the Atlantic Council's event, Siemens released the findings of survey conducted in partnership with the Ponemon Institute, which found that 54% of utilities professionals expect an attack on critical infrastructure within the next twelve months, while only 42% rated their organization's cyber readiness as "high." Additionally, 56% of the respondents said they had experienced an attack in the past twelve months that led to the loss of sensitive information or an outage in the industrial environment.
Trey Herr, director of the Cyber Statecraft Initiative for the Scowcroft Center for Strategy and Security at the Atlantic Council, highlighted the differences between IT and OT in terms of impact, and said people are more willing to form standards and policies regarding OT safety if they think about it in those terms. For example, he pointed to the difference between "the blue screen of death on your laptop as opposed to in an airliner."
Shapor Naghibzadeh, co-founder of Chronicle Security, said "everything starts with visibility," explaining that security teams need telemetry and big data from their systems, as well as the ability to contextualize and draw conclusions from this data. Combined with efficiency, these elements can reduce the time it takes to detect and intruder.
Jack Huffard, COO and co-founder of Tenable, agreed that visibility is "a critical piece of the puzzle as far as vulnerability detection goes." He also acknowledged that all of the new connected devices have "created an exposure that wasn't there a decade ago," but added that utility companies need to take advantage of new technologies to improve efficiency and keep up with demand. The challenge, Huffard said, is creating technologies, processes, and policies that allow them to be utilized securely.