Every industry has its own unique challenges related to information security. Financial services organizations bear the burden of preventing fraud. Manufacturing businesses have to protect their intellectual property and ensure that manufacturing processes remain resilient to attack. Meanwhile, health care organizations must keep sensitive personal information away from prying eyes.

Filling Glaring Security Gaps in the Energy Industry

The energy industry is doubly vulnerable to the challenges of maintaining a good information security program. From local electric membership corporations (EMCs) to national energy conglomerates and all the related entities in between, energy companies must keep sensitive information in check while ensuring that supervisory control and data acquisition (SCADA) and related systems are not attacked and taken down. A breach of electricity, natural gas or related resources can introduce a whole different set of challenges that can have a tremendous and very personal impact on a large group of people.

Having worked with various types of businesses in the energy and utility sector — from EMCs to local municipalities, larger utilities boards and power generation companies — it’s obvious that IT professionals have a responsibility to uphold the traditional pillars of confidentiality, integrity and availability, more so than any other industry I’ve worked in.

Unlike many other industries, however, the resources at these energy organizations are often spread so thin that no single entity can take full charge of security. In fact, the security programs at these organizations are often some of the least mature out there. I frequently come across common low-hanging fruit such as:

  • Minimal security standards integrated into both systems and software development life cycles;
  • Inconsistent security testing or none at all, since some people don’t want to touch their critical systems and risk downtime;
  • Minimal security awareness and training efforts;
  • Dated operating systems and missing software patches on production networks, including critical geographic information systems environments and SCADA systems; and
  • Weak user account and password management, especially for service-related accounts on core business systems.

Empowering Security Leadership

There’s a lot of talk about cyber insurance in the energy industry, and rightly so. A good policy with broad coverage can certainly help lessen the impact of security events, but analysts at energy companies need more. Given what’s at stake, executives must dedicate more resources to information security-related initiatives in this sector. However, that doesn’t necessarily mean more money; bigger budgets sometimes enable companies to acquire products or services that do not truly fill business needs.

Instead, energy companies should hire better — or more — security leadership. Many organizations put system analysts, network administrators and chief information officers (CIOs) in charge of security, among dozens of other things. That’s a gaping hole waiting to be exploited. The same goes for more testing and analysis of security weaknesses. After all, you cannot secure what you don’t acknowledge or don’t know about.

Securing Moving Parts

There are, no doubt, outliers in the energy industry who have mastered security. Still, how long is it going to take before widespread energy sector attacks become commonplace, not unlike the breach that befell Ukraine’s power grid last year?

Sure, SCADA environments are generally well-secured. I have yet to come across one that was truly vulnerable to a real-world attack. But there are countless moving parts across the networks and information systems running this industry. While there are a lot of smart people working to improve security behind the scenes, they need better organization to get ahead of the enemies lurking in the shadows.

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…