Complacency is the biggest risk for the energy industry which is a prime target for malicious actors. While hackers haven’t sought financial gain from going after an energy grid or other vital infrastructure in a meaningful manner, it's not an impossibility. There’s also the risk from bad actors who are constantly looking at ways in to create disruptions and destruction, heightening the risk for the industry.
Still with little in the way of real attacks, a sense of security has set in among some in the energy sector inviting more risk.
“Complacency is the enemy and the biggest risk of the energy industry when it comes to cyber risk,” said Teresa Zielinski, Chief Information Security Officer at GE Power in a recent interview with The SaaS Report. “While much risk can be managed with the application of basic controls and practices, companies must develop a program and update frequently as hackers are always looking for open vulnerabilities. No organization should ever claim cyber invulnerability and all should take ongoing efforts to reduce their exposure.”
Companies using legacy infrastructure are particularly exposed and often require a security retrofit, said Zielinski. The good news: upgrading to a more secure infrastructure is usually achievable for what can be a nominal cost. But upgrading alone isn’t enough. The executive said firms have to have well-crafted incident response plans in place. The last thing they want to happen is that a breach occurs and the business is caught off guard, unable to respond. “The new reality is, you will be breached at some point in time. There's a lot at risk in that, including the business' reputational status and financial damages. Having a mature capability to respond with clarity and action will make a difference,” said Zielinski.
But it's not just legacy systems that make the world a scarier place for energy companies today and into the future. The GE executive pointed to an energy landscape that will change more in the next decade than it did in the thousands of years before. “Digital power solutions will expand and power generation will grow more complex and encompass a range of sources,” said the GE Power executive. “I encourage the industry never to be complacent and ensure they're considering the latest in technology solutions that have the power to eliminate risk.”
Currently, a lot of the risk comes from bad actors posturing, showing off what they are capable of doing rather than compromising a network or system for financial gain such as via ransomware. In the future that can very well happen, creating an urgency on the part of businesses and government to create standards and bankroll programs to protect assets and critical infrastructure. Hacks against the power grid in the U.S. are still at the theoretical stage but blackouts in Ukraine caused by cyber attacks emanating out of Russia in 2015 and 2016 opened the eyes to the danger. And even though the U.S. grid is well-protected it hasn’t stopped Russia from trying to get in.
Businesses also play a role in providing guidance to the government on the creation and maintenance of best practices to protect against all these risks. “In an ideal world, government and business are collaborating on frameworks that all benefit from,” said Zielinski.