While advances in technology are propelling the world of business into an increasingly digital state, they are also ensuring today’s threat landscape is more sophisticated and more dangerous than ever before. As a result, next-generation security technologies have taken on increased importance for companies in any industry.
Though many industries are growing increasingly concerned about the impact of cyberattacks on their operations, many executives continue struggling to understand this growing risk. One such industry is the energy sector. Energy executives have become more worried about how cyberattacks could negatively impact their organization, but a recent survey revealed that greater understanding, quantification and mitigation strategies may be needed to tackle cybersecurity in the energy industry.
The report, Could Energy Industry Dynamics Be Creating an Impending Cyber Storm?, reveals that more than one in four respondents were aware that their company had been hit by a damaging cyberattack in the last year while more than three-quarters of respondents (76 percent) were worried about attacks interrupting their business operations. A similar proportion (77 percent) are preparing to increase the amount they invest in managing cyber risks.
Worse yet, as this risk swells, the consequences surrounding a breach grow more dangerous and expensive. In fact, according to the 2018 Cost of a Data Breach Study, each data breach in the energy sector cost $167 per breach — $19 more per record than the average across industries.
Despite fears about the impact of cyberattacks on production and revenues, more than half of energy executives in the survey had not quantified or did not know what their worst possible exposures could be. As energy companies become more dependent on technology, their exposure to risks grows thanks to the massive growth in devices connected by the “internet of things.”
In spite of being the ideal setting for the industrial internet of things, the energy industry was relatively late to adopt digitalization, and unfortunately, the digitization of the energy grid in conjunction with the proliferation of renewable energy technologies create new, unexplored opportunities for hackers and bad actors.
A cyberattack in the energy sector could not only damage a business’ reputation, but an attack could also cause disruption and loss of data, threaten the integrity of security systems, cause widespread power outages and lead to financial losses from hackers holding data or plant operations for ransom.
Making matters worse, it appears to be relatively easy to hack some systems in the energy sector. Last year, a Dutch researcher uncovered 17 solar inverter vulnerabilities that hackers could use to remotely control plant output.
Until recently, most energy installations did not communicate with traditional IT networks, and energy infrastructure was too vital to national economies for companies to adopt new technologies. However, the growing complexity and decentralization of the grid, the growth of renewable energy and the increased availability of technologies such as sensors, machine learning and big data is beginning to impact the cybersecurity of the energy industry.
As energy sector systems that monitor and run operations become more interconnected, it increases the risk that a cyberattack could result in physical damage. And worst of all, this is potentially more serious in the energy sector than other industries. An attack on energy infrastructure has the potential to cross from the cyber realm into the physical world, causing a massive operational failure of a significant asset such as a nuclear, coal or oil plant. From fires to explosions, machinery breakdowns and other damage to energy infrastructure, vulnerabilities have the potential to result in significant risks.
Consider the cyberattacks on the Ukrainian power grid just a few short years ago. On December 23, 2015, malicious actors (determined to be from Russia) opened breakers at some 30 distribution substations in the capital city Kiev and western Ivano-Frankivsk region, causing more than 200,000 consumers to lose power after taking control of the facilities’ SCADA systems. Unfortunately, this breach exhibits how a cyberattack in the energy sector can have incredibly dangerous real-world implications.
Despite naming cyber risk as a priority, more than half (54 percent) of energy executives have not quantified or did not know what their worst possible loss exposures could be. Perhaps more troublesome, 26 percent said they were aware that their company had been victim to a successful cyberattack in the past 12 months, but, as many cyberattacks often go undetected for some unknown period of time, the actual percentage is likely higher.
In the face of some executives expressing confidence in their organizations’ abilities to address cyber risk, it is clear more work is needed in the energy industry to address these vulnerabilities. Consequently, the U.S. Department of Energy has set up an office to protect the nation’s power grid and other infrastructure against cyberattacks and natural disasters.
Unfortunately, as long as the energy sector remains as important to our everyday lives as it is, hackers and bad actors will continue to try to find new ways to gain access to plant controls. As a result, companies in the energy sector need to increase their focus on cybersecurity to remain safe from expensive and dangerous breaches.
In an area as vital as the energy sector, the importance of staying up to date with the patch management of software and operating systems has never been more apparent. Once considered onerous, time consuming and a burden, advances in cybersecurity technology now enable patch management to be an automated process, allowing security professionals to see the real-time vulnerability status across their entire IT infrastructure from a single dashboard and take action immediately. Enter Automox.
As the energy industry increasingly relies on interconnectivity as a result of greater digitalization, the potential for cyberattacks to cause severe disruption to operations, loss of data and the resulting high financial losses, remains a key concern for energy executives. For energy companies that have not effectively planned to mitigate and manage attacks or that have not measured their exposure to cyber risks, the time has never been better than now.
Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution, visit www.automox.com/signup.