Madison Horn of Siemens Energy and Padraic O’Reilly of CyberSaint say that U.S. energy companies and the federal government are both working actively to shore up defenses and share information
Assessments of the U.S. energy sector’s safeguards against cyberthreats in the OT and IT space often strike a gloomy (if not downright alarmist) note, especially in the wake of the SolarWinds attack. But there is cause for optimism, according to Madison Horn, Global Cyber Portfolio Lead for Industrial Cyber & Digital Security at Siemens Energy, and Padraic O’Reilly, the co-founder and Chief Product Officer of CyberSaint. These high-profile analysts said at a webinar on March 17 that U.S. energy companies and the federal government were both working actively and collaboratively to strengthen cybersecurity defenses and share information.
Responding to the twin pressures of regulation and deregulation
At the webinar, which was sponsored by BrightTALK, both speakers talked up the energy industry’s approach to cybersecurity solutions for OT systems.
O’Reilly, for example, said that CyberSaint’s customers in the energy sector were not struggling to play catch-up on this front. “It’s really heartening that when we talk to energy companies, they’re so forward-looking and they embrace new technologies. I would say some of the most agile security teams we’ve encountered are in energy,” he said.
He attributed this agility to the twin pressures of regulation in the name of protecting consumers and maximizing safety and deregulation in the name of promoting competition. Because energy companies must work closely with government agencies, he explained, they have incentives “to be adaptive and … to think of new solutions,” he said.
“I find that they’re very responsive. I’m watching it right now with some of our largest customers. They’re doing it right now. They’re migrating to the cloud in a secure way. They’re doing it in a disciplined way. The risk teams inside energy companies are getting everyone around the table … They’re consolidating the processes, and there’s a real drive inside these energy companies to be adaptive and forward-looking.”
A risk-based approach for long-lasting physical assets
Horn, for her part, said energy companies had good reasons to shore up their defenses and take a risk-based approach. On the one hand, she noted, U.S. energy companies are aware that the stakes are high. “It seriously can be life or death or turning off a city. The risk is just so much greater because there is a potential for loss of life,” she said. “They’ve had to take this into consideration, and the word that we keep using about [them is] ‘methodical.’”
She also pointed out that energy companies have no choice but to engage in long-term thinking about cybersecurity defenses for their OT systems. Because generation, transmission and distribution assets are designed to last for decades, she noted, their operators must anticipate and prepare for the change in the regulatory regimes, evolution in energy markets, and the emergence of new cyber threats.
“There’s a lot of this forward-thinking within the energy space because they can’t just think about today,” she explained. “They really do have to think about the evolution of the way these plants are going to grow and how they’re going to service larger and growing cities, smaller rural areas, [and] areas that are working on renewables and how that’s going to feed back into the grid.”
DHS and CISA demonstrating agility, willingness to collaborate with industry
O’Reilly also spoke highly about the U.S. federal government’s approach to cybersecurity in this critical industry, saying that Washington was working collaboratively with energy companies to strengthen defenses and share information.
In response to a question from Industrial Cyber about whether Washington was agile enough to work with energy providers and other infrastructure operators in ways that allowed for real-time threat monitoring and response, he praised the work done by the Department of Homeland Security (DHS). He indicated that the collaborative efforts led by one of the department’s divisions, the Cybersecurity and Infrastructure Security Agency (CISA), had been particularly helpful.
“I would say through DHS, they’re doing that now,” he said. “You can join those programs, and you can be part of all of that, and there is a lot of information-sharing that goes on right now in critical infrastructure … I know DHS is very helpful with monitoring nation-state activity and helping critical infrastructure at the moment.”
CyberSaint has already taken advantage of programs that allow for more information-sharing and collaboration with government agencies, he added. “[We] get a lot of the stuff we use in cyber from the federal government,” he stated.
He also noted, though, that the federal government faced its own constraints, including security considerations and the ongoing use of outdated systems. “In a weird way, I think they’re super-agile and super-collaborative. In another way, they have some of the problems that we all have in various sectors,” he said. “For example, when I talk to the agencies, they might be stuck with legacy products that just aren’t doing the job for them anymore. There’s a paradox of sorts here. There are problems of scale, and then there are problems of information asymmetries and wanting to hold on to certain information because it might be dangerous to release it.”