INTRODUCTION
Although two years have passed since the Colonial Pipeline attack, it serves as a stark reminder of the devastating impact a cyberattack can have on the energy supply chain. It left millions of citizens without access to fuel, incurred substantial costs for containment and recovery, and inflicted long-term damage to the company's reputation.
What’s important to note is that this incident is not an isolated occurrence. The industry has been dealing with increasing cyber risk—from the growing number of cyberattacks to the multiple vulnerabilities related to their IT systems, operational technology (OT) infrastructure, and supply chain partners. Of the 45 cybersecurity incidents that have targeted the energy industry since 2017, 13 of them had taken place by July 2022, the highest annual level over the last six years. The primary targets of these cyber threats were oil assets and infrastructure, accounting for one-third of all incidents followed closely by electricity networks, with over a quarter of the recorded cyberattacks.
Given the crucial role of energy in the economy, attacks from nation-state attacks are also of increasing concern. 21 natural energy companies in the U.S. were targeted by supposed Russian hackers a few weeks before the Ukraine attacks. The threat of cyberattacks also extends beyond operational disruptions and supply chain interruptions. The Delta-Montrose Electric Association (DMEA), a Colorado energy company in the US, fell prey to malicious cyber ware in January 2023, which forced the shutdown of 90% of its internal controls. Tragically, this incident wiped out 25 years of crucial historical data, underscoring the potentially irreversible consequences of cyber threats.
The energy industry is critical to a functioning society and is foundational to the growth of global economies. Almost every business decision made is dependent on the thousands of companies that produce electricity, coal, oil, natural gas, nuclear power, and renewable fuels such as geothermal, hydropower, solar, and wind. Understanding the unique challenges and necessitating the proactive and comprehensive measures to protect the energy industry and the communities it serves is of utmost importance.
This eBook dives deep into the unique complexities faced by the industry that make managing cyber risk challenging and explores why a connected strategy to address cyber risk is more effectual. It also provides 10 key steps that you can use to shift from a conventional approach to a connected cyber risk strategy.
Unique Complexities in Managing Cyber Risk
The cyber risk landscape of the energy industry can be best described as a multi-threat environment with geographically dispersed targets. Protecting this landscape requires a deep dive into the multitude of unique challenges and vulnerabilities which in turn increase the complexities involved in managing and mitigating cyber risk. Here are the top challenges:
Diverse Threat Landscape
The number of threats and actors targeting the energy industry is diverse and can come from nation-state actors, cybercriminals, hacktivists and even internal threats. Nation-state actors may seek to cause security and economic dislocation by targeting critical infrastructure such as utilities. Cybercriminals usually target for financial gain, such as by stealing sensitive data or disrupting operations. Hacktivists, on the other hand, would wish to publicly register their opposition to the company's projects or broad agendas. Internal threats, such as human error, disgruntled employees, or contractors, is also an important risk that cannot be ignored.
Expansive Attack Surface
The geographic and organizational complexity of the energy industry, as well as the increasing use of interconnected systems has widened the attack surface leading to vulnerability across the entire value chain. For example, in energy utilities threats can manifest at various points, from generation to transmission to distribution. Particularly concerning are attacks on Industrial Control Systems (ICS) and third-party entities within the power sector supply chain.
Interdependencies Between Physical and Cyber Infrastructure
With heavy reliance on Internet of Things (IoT) technologies that aid operations, the energy industry has unique interdependencies between their physical and cyber infrastructure. This creates opportunities for malicious actors to orchestrate disruptive events. For instance, billing fraud involving wireless smart meters or the commandeering of OT systems to halt multiple wind turbines can have severe economic and physical implications.
Internal Concerns
The industry faces a number of challenges in maintaining good internal cyber hygiene including:
- A large number of interconnected systems, which makes it difficult to track and manage all of the cyber risks.
- A decentralized approach to cyber risk and cybersecurity leadership within the organization, with responsibility for different aspects of security being spread across different departments.
- A siloed approach to third-party cyber risk with responsibility shared across a complex network of partners, each with its own security responsibilities and priorities.
- A cyber talent crunch being faced across the sector making it difficult for utilities to find and hire qualified cybersecurity professionals.
Regulatory Compliance Across Global Operating Environments
Most energy companies operate in global industrial operating environments, subject to varying regulatory requirements and standards. Ensuring compliance with these regulations while managing cyber risks across diverse operational landscapes poses a significant challenge. Navigating regulatory frameworks demands dedicated resources and expertise to protect critical infrastructure effectively.
Rapid Cloud Adoption
The adoption of cloud services in the energy sector is on the rise. According to a recent Deloitte report, 83% of energy and utility companies either use cloud services or want to do so within the next two years. While the use of cloud services provides the industry with the flexibility to grow and scale easily, it can also introduce new cyber risks such as data breaches leading to loss of consumer trust and reputational damage.
10 Key Steps to Connected Cyber Risk Management
With the increasing interconnectedness of critical infrastructure bringing on new and unique challenges, a conventional and siloed approach will only result in a reactive and decreased speed to detection and response. The energy industry requires a shift from traditionally used approaches to a connected strategy to effectively manage cyber risk. Here are 10 key steps to get started:
- Asset Identification and Prioritization The first step in a connected approach to cyber risk management is identifying and mapping assets along with their connections. By prioritizing assets based on their criticality, organizations can focus their efforts and resources on protecting the most crucial components of their infrastructure.
- Vulnerability Assessmen: It is crucial to determine if critical assets and networks have well-known and exploitable vulnerabilities. Conducting regular vulnerability assessments helps identify potential weaknesses in the system and enables organizations to proactively address them to mitigate the risk of cyberattacks.
- Controls Environment Maturity Assessing the maturity of the controls environment is essential for effectively managing threats. By evaluating the effectiveness of existing controls and identifying gaps, organizations can strengthen their defenses and ensure a proactive approach to cyber risk management.
- Secure, Vigilant, and Resilient Frameworks Building a framework that is secure, vigilant, and resilient is paramount. This includes implementing robust security measures, maintaining continuous monitoring capabilities, and establishing incident response plans to effectively detect, respond to, and recover from cyber incidents. In the US, the National Cybersecurity Centre of Excellence (NCCoE) provides updated guidance and example solutions to help the energy sector protect the complex IT and OT systems. The Electricity Subsector Cybersecurity Capability Maturity Model (C2M2) developed by the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), provides guidelines to prioritize and improve cybersecurity activities.
- Cloud Controls Monitoring As energy companies increasingly leverage cloud services, continuous monitoring of controls on the cloud becomes crucial. Implementing advanced monitoring and threat detection tools ensures that potential risks and vulnerabilities in cloud environments are promptly identified and addressed.
- Supply Chain Cyber Risk Management Managing cyber risk in the supply chain is vital for protecting critical infrastructure. From the onboarding process to ongoing assessments, organizations must establish rigorous cybersecurity measures to ensure that third-party suppliers and vendors do not introduce vulnerabilities that could be exploited by malicious actors.
- Cyber Risk Quantification By quantifying cyber risks, the energy industry can gain a clear understanding of the potential financial and operational impact of cyber threats, enabling informed decision-making and resource allocation for risk mitigation. It also facilitates effective communication with stakeholders, including regulators, investors, and insurance providers, by providing quantifiable metrics.
- Regulatory Compliance and Certification Complying with industry regulations and certifications is a crucial aspect of cyber risk management in the energy sector. The North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (NERC-CIP) requirements, NERC’s GridEx exercise or the EIS Council’s transnational EarthEx exercise, the International Society for Automation and the International Electrotechnical Commission's IEC-62443 series, and the upcoming EU cybersecurity certification frameworks (currently being framed) are some of the essential guidelines and requirements for organizations in the sector.
- Information Sharing and Collaboration Engaging with peers and participating in Information Sharing and Analysis Centers (ISACs), such as the E-ISAC managed by NERC, facilitates collective knowledge sharing and collaboration. The Cybersecurity Risk Information Sharing Program (CRISP) is one such program that is co-funded by DOE and the industry and managed by E-ISAC that facilitates the sharing of timely bi-directional threat information. By actively participating in these forums, organizations can gain valuable insights, stay updated on emerging threats, and collectively enhance their cyber resilience.
- Adoption of Advanced Technologies Embracing new technologies can significantly enhance cyber risk management capabilities. For example, leveraging AI, analytics and visualization tools allows organizations to audit their cyber risk profiles in real-time, enabling proactive identification of anomalies and potential threats.
Build Cyber Resilience with MetricStream
To combat the unique challenges, energy and utility companies need a robust cyber risk program that leverages technologies such as AI and automation which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because of the ability to work all the time and identify and flag anomalies.
MetricStream’s ConnectedGRC provides energy and utility companies with an integrated solution on a single platform. Purpose-built to manage, measure, and monitor cyber risk and compliance demands for the energy industry in real-time, the platform is powered by AI, enabling the capture, assessment, and processing of diverse, complex, and voluminous risk and data at scale across your entire organization.
This enables you to:
- Gain a single view of your risks with a centralized library of risks, controls, regulations, policies, and issue management to drive risk intelligence and actionability.
- Actively monitor and adapt to applicable regulatory changes from around the world.
- Map policies to regulations, and ensure employee and third-party attestation.
Proactively manage cyber risk and build cyber resilience with MetricStream CyberGRC by:
Want to learn more about how MetricStream can help your company build resilience by leveraging award-winning AI, analytics, and automation technologies? Request a demo now.
Although two years have passed since the Colonial Pipeline attack, it serves as a stark reminder of the devastating impact a cyberattack can have on the energy supply chain. It left millions of citizens without access to fuel, incurred substantial costs for containment and recovery, and inflicted long-term damage to the company's reputation.
What’s important to note is that this incident is not an isolated occurrence. The industry has been dealing with increasing cyber risk—from the growing number of cyberattacks to the multiple vulnerabilities related to their IT systems, operational technology (OT) infrastructure, and supply chain partners. Of the 45 cybersecurity incidents that have targeted the energy industry since 2017, 13 of them had taken place by July 2022, the highest annual level over the last six years. The primary targets of these cyber threats were oil assets and infrastructure, accounting for one-third of all incidents followed closely by electricity networks, with over a quarter of the recorded cyberattacks.
Given the crucial role of energy in the economy, attacks from nation-state attacks are also of increasing concern. 21 natural energy companies in the U.S. were targeted by supposed Russian hackers a few weeks before the Ukraine attacks. The threat of cyberattacks also extends beyond operational disruptions and supply chain interruptions. The Delta-Montrose Electric Association (DMEA), a Colorado energy company in the US, fell prey to malicious cyber ware in January 2023, which forced the shutdown of 90% of its internal controls. Tragically, this incident wiped out 25 years of crucial historical data, underscoring the potentially irreversible consequences of cyber threats.
The energy industry is critical to a functioning society and is foundational to the growth of global economies. Almost every business decision made is dependent on the thousands of companies that produce electricity, coal, oil, natural gas, nuclear power, and renewable fuels such as geothermal, hydropower, solar, and wind. Understanding the unique challenges and necessitating the proactive and comprehensive measures to protect the energy industry and the communities it serves is of utmost importance.
This eBook dives deep into the unique complexities faced by the industry that make managing cyber risk challenging and explores why a connected strategy to address cyber risk is more effectual. It also provides 10 key steps that you can use to shift from a conventional approach to a connected cyber risk strategy.
The cyber risk landscape of the energy industry can be best described as a multi-threat environment with geographically dispersed targets. Protecting this landscape requires a deep dive into the multitude of unique challenges and vulnerabilities which in turn increase the complexities involved in managing and mitigating cyber risk. Here are the top challenges:
Diverse Threat Landscape
The number of threats and actors targeting the energy industry is diverse and can come from nation-state actors, cybercriminals, hacktivists and even internal threats. Nation-state actors may seek to cause security and economic dislocation by targeting critical infrastructure such as utilities. Cybercriminals usually target for financial gain, such as by stealing sensitive data or disrupting operations. Hacktivists, on the other hand, would wish to publicly register their opposition to the company's projects or broad agendas. Internal threats, such as human error, disgruntled employees, or contractors, is also an important risk that cannot be ignored.
Expansive Attack Surface
The geographic and organizational complexity of the energy industry, as well as the increasing use of interconnected systems has widened the attack surface leading to vulnerability across the entire value chain. For example, in energy utilities threats can manifest at various points, from generation to transmission to distribution. Particularly concerning are attacks on Industrial Control Systems (ICS) and third-party entities within the power sector supply chain.
Interdependencies Between Physical and Cyber Infrastructure
With heavy reliance on Internet of Things (IoT) technologies that aid operations, the energy industry has unique interdependencies between their physical and cyber infrastructure. This creates opportunities for malicious actors to orchestrate disruptive events. For instance, billing fraud involving wireless smart meters or the commandeering of OT systems to halt multiple wind turbines can have severe economic and physical implications.
Internal Concerns
The industry faces a number of challenges in maintaining good internal cyber hygiene including:
- A large number of interconnected systems, which makes it difficult to track and manage all of the cyber risks.
- A decentralized approach to cyber risk and cybersecurity leadership within the organization, with responsibility for different aspects of security being spread across different departments.
- A siloed approach to third-party cyber risk with responsibility shared across a complex network of partners, each with its own security responsibilities and priorities.
- A cyber talent crunch being faced across the sector making it difficult for utilities to find and hire qualified cybersecurity professionals.
Regulatory Compliance Across Global Operating Environments
Most energy companies operate in global industrial operating environments, subject to varying regulatory requirements and standards. Ensuring compliance with these regulations while managing cyber risks across diverse operational landscapes poses a significant challenge. Navigating regulatory frameworks demands dedicated resources and expertise to protect critical infrastructure effectively.
Rapid Cloud Adoption
The adoption of cloud services in the energy sector is on the rise. According to a recent Deloitte report, 83% of energy and utility companies either use cloud services or want to do so within the next two years. While the use of cloud services provides the industry with the flexibility to grow and scale easily, it can also introduce new cyber risks such as data breaches leading to loss of consumer trust and reputational damage.
With the increasing interconnectedness of critical infrastructure bringing on new and unique challenges, a conventional and siloed approach will only result in a reactive and decreased speed to detection and response. The energy industry requires a shift from traditionally used approaches to a connected strategy to effectively manage cyber risk. Here are 10 key steps to get started:
- Asset Identification and Prioritization The first step in a connected approach to cyber risk management is identifying and mapping assets along with their connections. By prioritizing assets based on their criticality, organizations can focus their efforts and resources on protecting the most crucial components of their infrastructure.
- Vulnerability Assessmen: It is crucial to determine if critical assets and networks have well-known and exploitable vulnerabilities. Conducting regular vulnerability assessments helps identify potential weaknesses in the system and enables organizations to proactively address them to mitigate the risk of cyberattacks.
- Controls Environment Maturity Assessing the maturity of the controls environment is essential for effectively managing threats. By evaluating the effectiveness of existing controls and identifying gaps, organizations can strengthen their defenses and ensure a proactive approach to cyber risk management.
- Secure, Vigilant, and Resilient Frameworks Building a framework that is secure, vigilant, and resilient is paramount. This includes implementing robust security measures, maintaining continuous monitoring capabilities, and establishing incident response plans to effectively detect, respond to, and recover from cyber incidents. In the US, the National Cybersecurity Centre of Excellence (NCCoE) provides updated guidance and example solutions to help the energy sector protect the complex IT and OT systems. The Electricity Subsector Cybersecurity Capability Maturity Model (C2M2) developed by the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), provides guidelines to prioritize and improve cybersecurity activities.
- Cloud Controls Monitoring As energy companies increasingly leverage cloud services, continuous monitoring of controls on the cloud becomes crucial. Implementing advanced monitoring and threat detection tools ensures that potential risks and vulnerabilities in cloud environments are promptly identified and addressed.
- Supply Chain Cyber Risk Management Managing cyber risk in the supply chain is vital for protecting critical infrastructure. From the onboarding process to ongoing assessments, organizations must establish rigorous cybersecurity measures to ensure that third-party suppliers and vendors do not introduce vulnerabilities that could be exploited by malicious actors.
- Cyber Risk Quantification By quantifying cyber risks, the energy industry can gain a clear understanding of the potential financial and operational impact of cyber threats, enabling informed decision-making and resource allocation for risk mitigation. It also facilitates effective communication with stakeholders, including regulators, investors, and insurance providers, by providing quantifiable metrics.
- Regulatory Compliance and Certification Complying with industry regulations and certifications is a crucial aspect of cyber risk management in the energy sector. The North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (NERC-CIP) requirements, NERC’s GridEx exercise or the EIS Council’s transnational EarthEx exercise, the International Society for Automation and the International Electrotechnical Commission's IEC-62443 series, and the upcoming EU cybersecurity certification frameworks (currently being framed) are some of the essential guidelines and requirements for organizations in the sector.
- Information Sharing and Collaboration Engaging with peers and participating in Information Sharing and Analysis Centers (ISACs), such as the E-ISAC managed by NERC, facilitates collective knowledge sharing and collaboration. The Cybersecurity Risk Information Sharing Program (CRISP) is one such program that is co-funded by DOE and the industry and managed by E-ISAC that facilitates the sharing of timely bi-directional threat information. By actively participating in these forums, organizations can gain valuable insights, stay updated on emerging threats, and collectively enhance their cyber resilience.
- Adoption of Advanced Technologies Embracing new technologies can significantly enhance cyber risk management capabilities. For example, leveraging AI, analytics and visualization tools allows organizations to audit their cyber risk profiles in real-time, enabling proactive identification of anomalies and potential threats.
To combat the unique challenges, energy and utility companies need a robust cyber risk program that leverages technologies such as AI and automation which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because of the ability to work all the time and identify and flag anomalies.
MetricStream’s ConnectedGRC provides energy and utility companies with an integrated solution on a single platform. Purpose-built to manage, measure, and monitor cyber risk and compliance demands for the energy industry in real-time, the platform is powered by AI, enabling the capture, assessment, and processing of diverse, complex, and voluminous risk and data at scale across your entire organization.
This enables you to:
- Gain a single view of your risks with a centralized library of risks, controls, regulations, policies, and issue management to drive risk intelligence and actionability.
- Actively monitor and adapt to applicable regulatory changes from around the world.
- Map policies to regulations, and ensure employee and third-party attestation.
Proactively manage cyber risk and build cyber resilience with MetricStream CyberGRC by:
Want to learn more about how MetricStream can help your company build resilience by leveraging award-winning AI, analytics, and automation technologies? Request a demo now.
