Convergence & Digitalisation Create Problems For Energy Utilities

Uploaded on 2022-03-18 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Energy

The convergence of previously separate sectors around renewable smart grids is creating an expansive energy value chain with widely divergent cyber security practices and vulnerabilities, eroding organisational control over energy security.

A failure to consolidate cyber security practices and policies across this new diverse value chain could result in cyber attacks causing operators severe financial and reputational damage. Fear of cyber attacks has already been found to affect consumer take-up of smart meters and poor security could hamper the success and adoption of smart grids. 

The scale of the threat is demonstrated by a recent rise in ransomware attacks targeting energy networks; from pipelines to power grids. 

Weak Links In The Energy Value Chain

Smart grids are driving the convergence of the energy and technology sectors to create efficient, flexible grids that balance supply and demand based on live data. This renders energy grids dependent on the security practices of a wide variety of third-party technology companies; from cloud providers to smart infrastructure suppliers.

The result is that responsibility for grid security is increasingly dispersed among a wider array of organisations than ever before.

Any infrastructure is only as secure as the weakest link in its supply chain, and this ever-expanding green energy ecosystem creates a bigger patchwork of cyber security vulnerabilities. Many of these suppliers now need continued access to their customer energy networks to perform remote maintenance and monitoring of energy assets, creating more potential vulnerabilities. And new energy infrastructure often interfaces with legacy infrastructure which was never designed for connectivity.

If the old, centralised energy grids resembled large walled castles with just a few gateways, the current energy system more closely resembles a multitude of mini castles with many intricate interconnections between them.

Edge Devices Create A Porous Perimeter

Edge devices such as smart appliances to sensors on grid infrastructure. These are made by an array of technology suppliers with varying standards of security, creating a diverse and distributed array of potential attack vectors.

This is further compounded by the fact that some manufacturers are sacrificing security for speed to market and rushing out new smart appliances with limited security features. As our energy security can no longer be centrally controlled, we now require new security frameworks to inform and incentivise best practice across an increasingly decentralised, disparate value chain. 

The Need For A Holistic Security Framework

Without direct control over energy security, grid operators must use cyber security frameworks to assess business risk across all cyber, digital and data projects and enforce best practice among all partners and suppliers. These frameworks should be based on best-practice standards such as IEC 62443.

Cyber security should be baked into procurement and partnership programmes from the outset so that all potential suppliers and partners are carefully vetted for compliance with security standards. Imposing cyber frameworks on Tier 1 suppliers would create a cascade of best practice cyber security as each tier of suppliers enforces the same standards on lower tiers. 

New digital or data projects should not be introduced in silos without considering their potential impact on risk across the organisation. All digital, data and cyber projects should instead be interconnected from the start so that security is baked in at design stage and risks can be continuously assessed as new technologies are added. For example, reports found that some electricity generation is vulnerable to ransomware attacks because of clean energy infrastructure that was designed without security in mind. Cyber risk assessments cannot be a one-off exercise at implementation stage but must be monitored and managed across the lifecycle of all energy assets. 

Rather than focusing narrowly on cyber risks, organisations should also get an integrated overview of business risk across all digital and data projects so that diverse digital ecosystems can be monitored and managed as a single ‘system of systems’. 

Organisations also need to manage all third-party remote monitoring and maintenance of energy infrastructure with strict user permissions to validate and verify user identities before granting access to energy networks. Any service providers with responsibility for energy data or remote access to infrastructure must be strictly vetted against a checklist of criteria.

The widening array of edge devices from mobile apps to smart meters opening new vulnerabilities to energy systems requires that all suppliers are thoroughly vetted to ensure they conduct continuous monitoring and patching of devices throughout their lifecycle.  

Steven O’Sullivan is Head of Smart Cybersecurity at Enzen 

You Might Also Read:

Process Sensor Cyber Security Is A Vital Issue:

 

« How To Improve Cyber Security Visibility & Control
Georgia Must Bolster Resilience To Information Warfare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LRQA Nettitude

LRQA Nettitude

LRQA Nettitude is an award-winning global provider of cybersecurity services, bringing innovative thought leadership to the ever-evolving cybersecurity marketplace.

Baffle

Baffle

Baffle is pioneering a solution that makes data breaches irrelevant by keeping data encrypted from production through processing.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

Internap Corporation (INAP)

Internap Corporation (INAP)

INAP is a global provider of high-performance data center and cloud solutions, partnering with customers worldwide to create secure and scalable IT infrastructure solutions.

LinkUp

LinkUp

LinkUp is a leading data-driven job search company. Every day we index millions of job openings directly from employer websites.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Infiot

Infiot

Infiot is a pioneer in enabling secure, reliable access with zero trust security, network optimization, edge-intelligence and AI driven operations for all remote users, devices, sites and cloud.

Skyhawk Security

Skyhawk Security

Skyhawk Security is the originator of Cloud threat Detection and Response (CDR), helping hundreds of users map and remediate sophisticated threats to cloud infrastructure in minutes.

Phriendly Phishing

Phriendly Phishing

Phriendly Phishing offers phishing awareness training programs designed to ward off potential security threats and minimise the impact of cyber attacks.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.