Security measures for energy production plants were formerly focused on the physical security of the plant, including considerations for the perimeter and reliable procedures. Years ago, cybersecurity was not considered so vital because energy production plants were based on SCADA systems that were closed off and ran on proprietary protocols. But are these systems still safe today?
The Stuxnet worm demonstrated in 2010 that even if a system is protected and cannot be accessed by external attackers, it can be hacked. This type of attachment at the programmable logic controller of the SCADA cannot likely be replicated for this peculiar case, though everyone remembers this event as a milestone. After 2010, the entire world was made aware that SCADA systems can be attacked and, thus, must be protected.
On the other hand, is it really true that SCADA systems are so closed that they cannot be accessed by external forces? The reality is that SCADA systems originally used proprietary interfaces that were not always very user-friendly. In order to improve the user experience, SCADA systems are now often interfaced with a standard user’s interface. Also, in order to reduce the costs of management, standard marketplace protocols are used. Therefore, SCADA systems may be closed, but they are based on elements that can be affected by cybercrime.
Grid introduction in the production of energy and the usage of digital metering systems for an intelligent utilization of the energy implies that the production plant cannot be included within a perimeter.
Industrial processes are now strongly based on IT. To create a problem for an enterprise focused on producing energy, it is not necessary to compromise the SCADA systems, but it could be enough to attack the customer relationship management system. In fact, how many days could an enterprise survive without receiving money from clients or without paying providers and employees?
Therefore, protecting an energy production plant is strongly connected to cybersecurity. There needs to be a holistic approach to protecting the enterprise. Rather than just focusing on protecting the infrastructure, data or application, all elements necessary to provide service should be protected.