Cybersecurity’s constant evolution to ward off threats keeps companies on their toes — but a focus on people, technology and process can help with awareness and minimize the threat landscape.

During the Cybersecurity in Energy session on March 6 at CERAWeek by S&P Global, industry experts said there are more potential entry points for attack than ever. Attackers often go after the softest targets, which means the network is only as safe as its weakest link. And artificial intelligence (AI) will drive more evolution in the cybersecurity universe.

Nathalie Marcotte, senior vice president and president of process automation at Schneider Electric, said companies are digitizing to gain more visibility of their data and increase operational efficiencies. Digitization means potentially exposing that information to hackers.

“You cannot digitize and then have a shaky backbone on cybersecurity,” she said. Cybersecurity “goes hand in hand in the digital transformation journey they’re taking.”

With hacks now commonplace — on Feb. 28 the U.S. Marshals Service fell victim to a cyberattack — people are also much more aware of the need for cybersecurity now than they have been, she said.

“15 years ago, we had to tell our clients, ‘you are under attack.’ You don't have to have this conversation. Nowadays people are aware that they're at risk,” Marcotte said.

The key elements to focus on when it comes to cybersecurity are “the people, the technology and the process,” she said. “Good process, good training of your talent and (let the) more technical people deal with the technology, but between the three you can address it.”

Anton Dahbura, executive director of the Information Security Institute at Johns Hopkins University, said companies need to have better cultures that are security-aware from leadership down.

Cybersecurity awareness evolves

For a time, companies didn’t know to ask for cybersecurity, Juan Torres, associate laboratory director for energy systems integration at National Renewable Energy Laboratory (NREL), said.

Around the turn of the millennium, when NREL asked utilities why they were not requesting cybersecurity in their systems, “they said, ‘well, the vendors aren’t providing it,’” he said. When NREL asked vendors why they weren’t adding more security into their products, “they said, ‘well the customers aren’t asking for it.”

NREL re-approached the utilities, saying, “Now these vendors are telling us they're not putting this in because you're not asking for it. Why aren’t you asking for it?” Torres said. “And they said, ‘Because we don’t know how.’ That’s what it came down to. It was really eye-opening.”

It is costly for the utilities to retrofit security, he said, so it’s better to include it from the outset.

“You have to start early. Adding security after the fact is always more expensive, and it's always a bigger challenge,” Torres said. “The earlier you can get into the design concepts, the strategies for these systems, then the better they are.”

More risk ahead

One of the big concerns is the vast number of potential entry points for a cyberattacker, Torres said.

In the energy industry, sensors and devices are increasingly prevalent and closer to the consumer than they have been in the past, he said.

“There are entry points potentially everywhere, not just on the IT side. Look at the supply chain as well, where are we getting any electronic components, any computer network components and all the software,” Torres said. “They're all dealing with the same issues on the IT and OT side.”

As a result, it’s necessary to incorporate that into the understanding, management and protection of infrastructure, he said. In the end, the network is only as strong as the weakest component.

Dahbura said attackers tend to focus on easier targets, so he worries about mid-size and small organizations.

“Everybody's linked together, and the bad guys just go for the softest targets,” he said. “The mid-size companies, small-size companies, they're sitting ducks right now.”

Many attacks are ransomware-based.

“Ransomware is a brutal brute force attack,” Dahbura said. “I believe that there are technological solutions to it. It should be a thing of the past.”

His group recently applied for a patent on such a technology, he added.

What worries Dahbura more is the unknowns in cybersecurity associated with AI.

“We have no idea how to make AI secure yet. We don't even know what the threats are, but we know there are significant threats,” he said.