Siemens and the Ponemon Institute’s new report assessing the global energy industry’s ability to meet the growing industrial cyber threats to utilities and critical infrastructure connected to the electrical grid.
Cyber threats are presenting a greater risk to industrial companies’ Operational Technology (OT) than their Information Technology environment and this could be because utilities are concerned by the unique characteristics of OT, including a focus on availability, reliability and safety, a report said
The cybersecurity related report, which presented the findings of a survey by Siemens and the Ponemon Institute, dealt with the global energy industry’s ability to meet the growing threat of cyberattacks to utilities and critical infrastructure connected to the electrical grid.
Across the industry, 64 percent of respondents said sophisticated attacks are a top challenge, and 54 percent expected an attack on critical infrastructure in the next 12 months, the report added.
The survey, which also found that utilities are concerned by focus on availability, reliability and safety, also determined that 56 percent people surveyed reported at least one shutdown or operational data loss per year. This could mean that operations were crippled due to outages, damage, injury or even environmental disasters.
The report titled “Are Utilities Keeping Up with the Industrial Cyber Threat? Assessing the Operational Readiness of the Global Utilities Sector” surveyed a range of utility professionals responsible for securing or overseeing Operational Technologies (OT) assets. Research was conducted to gain a clearer picture of utilities’ existing capabilities, levels of preparedness, vulnerabilities, and strategic understanding of their OT cyber risk.
In simple words, the survey results showed that risk from cyberattacks is actually worsening, with potential for severe financial, environmental and infrastructure damage.
Readiness is an uneven subject across the industry and there are some common blind spots.
The report particularly highlighted the unique cybersecurity requirements for OT, and the importance of distinguishing between security for OT and security for Information Technology as this remained a major challenge for many organizations across the industry
“We found that the level of threat to Operational Technologies (OT) has indeed increased. Attacks now target energy infrastructure with growing severity. Successful attacks can cause shutdowns to critical product system, including safety systems. Meanwhile, many organizations report pain points in effectively aligning OT and Information Technologies (IT) cyber defences,” Leo Simonovich Global Head Industrial Cyber and Digital Security, Siemens Gas and Power said.
Industry leaders should, check their organizations’ readiness and implement solutions that keep up with the proliferation of both new, connected technologies and existing assets operating in brownfield environments to help combat the increasing risks from industrial cyber threats.
Only 25 percent of survey respondents reported being impacted by mega attacks, with expertise developed by nation-state actors. Newer attacks showed greater skill in finding weakened entry points, and are aimed at being destructive. Unfortunately such attacks aren’t very expensive either and many are cheaply built with easily available materials.
Surprisingly, it was also noted that Insider threat represents the majority of attacks in OT. Understandably, smaller companies showed greater concern with their own ability to complete critical cybersecurity tasks. These organizations were also less confident in their ability to understand the operational implications of attacks and take action based on those alerts.
Like most other reports and surveys in the cybersecurity genre, respondents of this survey too said there was an industry wide shortage of skilled employees to deal with cyber threats.
It remained concerning that respondents industry-wide indicated a critical human capital gap. People with appropriate skills are scarce – in every region around the world, more than half of respondents indicated their organization’s staffing level was not adequate to meet cybersecurity objectives in the OT environment.
“In general, addressing cyber security requires expertise from control engineers, security specialists and network specialists, often working together. Where these skills are lacking, organizations may be unable to correctly evaluate solutions offered by contractors, leading to incomplete protections and missed opportunities,” the report stated.
However, on the positive side, despite the human capital challenge identified in the survey, the industry overall is investing more resources into technology and compliance than into training or personnel. This investment pattern was even more pronounced for small organizations, where training was reported as less than 10 percent of available resources, and compliance took up more than 30 percent of resources. This is definitely a step in the right direction.