UNDERSTANDING AND MITIGATING THE RISKS OF CYBER ATTACKS IN THE ENERGY INDUSTRY
World Energy Congress, Istanbul, Turkey, 11 October 2016: When it comes to dealing with cyber threats to energy systems, companies not only struggle to assess the risk but also often fail to develop the in-house tools to understand their own response.
This point was underscored by Michael Bell, President, CEO and Member of the Board of Directors, Silver Spring Network,
during a World Energy Congress session outlining the key challenges facing companies contending with the risk of cyber-attacks.
Bell said: “Everyone is rushing to adopt technologies but standards need to be used and best practices need to be implemented. It’s important to make sure you have the expertise in-house and not farm it out to someone else. You need to understand it.”
Bell described gaps in security, including in the utilities sector: “There are people deploying proprietary, unproven one-off technologies into the supply grid.”
Sean Cleary, Founder and Executive Vice Chair, Future World Foundation,
agreed: “Many of those seeking technology solutions don’t know what they’re looking for. Technology vendors have no incentive to do a risk analysis assessment. They have an incentive to sell their product.”
O.H. Dean Oskvig, Vice Chair for North America, World Energy Council and President and CEO, B&V Energy, summed up the extent of the threat: “There are two types of companies: ones that have been hacked and ones that don’t know they’ve been hacked.”
He noted that as most energy infrastructure was designed before modern IT tools and systems. Security to protect this infrastructure tends to focus on physical defences at the expense of addressing cyber threats.
There was advice offered to energy sector companies on the steps they can take to address internal risks, such as employee carelessness. Cleary summed these up as a matter of, “attitude, training and experimentation.” Bell underlined that it is important for different departments within an organisation to communicate on the issue.
Dean advised that companies carry out simulations of being hacked: “That’s what’s going to reveal where your weak spots are.” Stay connected to stay current with the latest from Adventis.
Sharing information and experience will prove vital to tackling the threat. Best practices in dealing with cybersecurity have been developed for the internet and energy companies can borrow from this experience.
Andrew George, Chairman of Energy Practice,
Marsh, addressed the question of how companies can predict threats. George said that while a single-site refinery might be relatively safe, risk increases with operations involving multi-site, multi-system assets. The ability to assess cyber risks is also enhanced with information gathering.