The company’s recommendations are even more relevant, as COVID-19 casts a spotlight on the vulnerabilities of the global economy
Siemens Energy, a subsidiary of the German conglomerate Siemens, has joined the chorus of public- and private-sector organizations expressing concern about cybersecurity in the energy sector. What’s more, the company has not confined itself to fretting about the possible consequences of a cyberattack. Instead, it has developed a playbook to inform electricity providers about their options for formulating incident response (IR) strategies. On March 6, it released that playbook to the public.
The playbook bears the title “Simulating a Cyberattack on the Energy Industry: A Playbook for Incident Response.” It walks readers through a fictional (but hardly unrealistic) scenario involving an attempt to compromise the industrial control systems (ICS) of a power company that generates and distributes electricity in a large city preparing for an election.
Along the way, it identifies the issues that the utility faces during each phase of the incident and offers recommendations on how to set priorities in situations that are complex, fluid, and marked by uncertainty about which data points might be relevant. (It also does so in a visually appealing and straightforward manner, providing clear explanations for non-specialist readers.)
The energy sector’s vulnerability has been clear for some time
As noted above, Siemens Energy is hardly the first organization to address this matter.
In the U.S. alone, several government agencies have done so, with the Department of Homeland Security (DHS) speaking out in March 2018 and the Government Accountability Office (GAO) following suit in August 2019. Then in December 2018, the U.S. president’s National Infrastructure Advisory Council (NIAC), a division of DHS, issued its own report discussing the possible consequences of catastrophic failures in the energy sector.
Elsewhere, private-sector entities such as the U.S. IT giant Microsoft teamed up with Marsh, a UK-based risk consultancy, to poll energy executives about their cybersecurity concerns.
Siemens Energy’s unique perspective as an equipment manufacturer
Even against this backdrop, the playbook appears to be unique, in that it takes advantage of Siemens Energy’s position as a manufacturer of turbines and other equipment used in power plants. That is, it plays off the fact that the company designs and builds some of the operational technology (OT) that appears to be especially vulnerable to cyberattacks.
As a result, Siemens Energy is able to approach the problem from a slightly different point of view. It makes concrete recommendations for its customers – that is, for the organizations that use its products in the process of generating and distributing electric power. Additionally, it focuses on industrial and business entities, rather than talking about what government agencies and IT service providers can do.
This is a smart move on the company’s part. Siemens Energy’s parent group is preparing to spin it off later this year as part of a wider corporate restructuring campaign, and both parties stand to benefit if the playbook attracts attention.
How the coronavirus outbreak overlaps with cybersecurity considerations
But the company’s recommendations deserve attention for reasons that go beyond corporate strategizing.
As Siemens Energy offers this playbook to utilities, the COVID-19 (coronavirus) outbreak is casting a harsh light on the vulnerabilities of the interconnected systems that sustain the global economy – industrial supply chains, midstream oil and gas delivery routes, and air travel, to name just a few. These weaknesses exist independently of cybersecurity concerns, but there is a certain amount of overlap. Failures in the supply chain can prevent utilities from obtaining the hardware and software they need to keep their IT and OT systems secure. Public health emergencies can serve as a new hook for phishing and other scams.
Likewise, internet service providers (ISPs) will be under extra pressure to keep users connected, as social-distancing measures lead more employees to telecommute and more students to learn online. At the same time, they will also have to cope with a rise in the number of cyberattacks, since many of those working or learning remotely will be using machines that do not have the same protections as those used by businesses and schools.
Under these circumstances, power companies and other utilities would do well to address the underlying vulnerabilities identified in Siemens Energy’s playbook. If they do so, they will be able to marshal their resources to deal with other crises that may arise.