Cybersecurity’s constant evolution to ward off threats keeps companies on their toes — but a focus on people, technology and process can help with awareness and minimize the threat landscape.
During the Cybersecurity in Energy session on March 6 at CERAWeek by S&P Global, industry experts said there are more potential entry points for attack than ever. Attackers often go after the softest targets, which means the network is only as safe as its weakest link. And artificial intelligence (AI) will drive more evolution in the cybersecurity universe.
Nathalie Marcotte, senior vice president and president of process automation at Schneider Electric, said companies are digitizing to gain more visibility of their data and increase operational efficiencies. Digitization means potentially exposing that information to hackers.
“You cannot digitize and then have a shaky backbone on cybersecurity,” she said. Cybersecurity “goes hand in hand in the digital transformation journey they’re taking.”
With hacks now commonplace — on Feb. 28 the U.S. Marshals Service fell victim to a cyberattack — people are also much more aware of the need for cybersecurity now than they have been, she said.
“15 years ago, we had to tell our clients, ‘you are under attack.’ You don't have to have this conversation. Nowadays people are aware that they're at risk,” Marcotte said.
The key elements to focus on when it comes to cybersecurity are “the people, the technology and the process,” she said. “Good process, good training of your talent and (let the) more technical people deal with the technology, but between the three you can address it.”
Anton Dahbura, executive director of the Information Security Institute at Johns Hopkins University, said companies need to have better cultures that are security-aware from leadership down.
Cybersecurity awareness evolves
For a time, companies didn’t know to ask for cybersecurity, Juan Torres, associate laboratory director for energy systems integration at National Renewable Energy Laboratory (NREL), said.
Around the turn of the millennium, when NREL asked utilities why they were not requesting cybersecurity in their systems, “they said, ‘well, the vendors aren’t providing it,’” he said. When NREL asked vendors why they weren’t adding more security into their products, “they said, ‘well the customers aren’t asking for it.”
NREL re-approached the utilities, saying, “Now these vendors are telling us they're not putting this in because you're not asking for it. Why aren’t you asking for it?” Torres said. “And they said, ‘Because we don’t know how.’ That’s what it came down to. It was really eye-opening.”
It is costly for the utilities to retrofit security, he said, so it’s better to include it from the outset.
“You have to start early. Adding security after the fact is always more expensive, and it's always a bigger challenge,” Torres said. “The earlier you can get into the design concepts, the strategies for these systems, then the better they are.”
More risk ahead
One of the big concerns is the vast number of potential entry points for a cyberattacker, Torres said.
In the energy industry, sensors and devices are increasingly prevalent and closer to the consumer than they have been in the past, he said.
“There are entry points potentially everywhere, not just on the IT side. Look at the supply chain as well, where are we getting any electronic components, any computer network components and all the software,” Torres said. “They're all dealing with the same issues on the IT and OT side.”
As a result, it’s necessary to incorporate that into the understanding, management and protection of infrastructure, he said. In the end, the network is only as strong as the weakest component.
Dahbura said attackers tend to focus on easier targets, so he worries about mid-size and small organizations.
“Everybody's linked together, and the bad guys just go for the softest targets,” he said. “The mid-size companies, small-size companies, they're sitting ducks right now.”
Many attacks are ransomware-based.
“Ransomware is a brutal brute force attack,” Dahbura said. “I believe that there are technological solutions to it. It should be a thing of the past.”
His group recently applied for a patent on such a technology, he added.
What worries Dahbura more is the unknowns in cybersecurity associated with AI.
“We have no idea how to make AI secure yet. We don't even know what the threats are, but we know there are significant threats,” he said.
Recommended Reading
ConocoPhillips Hits Permian, Eagle Ford Records as Marathon Closing Nears
2024-11-01 - ConocoPhillips anticipates closing its $17.1 billion acquisition of Marathon Oil before year-end, adding assets in the Eagle Ford, the Bakken and the Permian Basin.
Dividends Declared the Week of Oct. 28
2024-11-01 - Here is a compilation of dividends declared this week for select upstream, midstream and downstream companies.
Exxon, Chevron Beat 3Q Estimates, Output Boosts Results
2024-11-01 - Oil giants Chevron and Exxon Mobil reported mixed results for the third quarter, with both companies surpassing Wall Street expectations despite facing different challenges.
Oxy’s Hollub Drills Down on CrownRock Deal, More M&A, Net-zero Oil
2024-11-01 - Vicki Hollub is leading Occidental Petroleum through the M&A wave while pioneering oil and gas in EOR and DAC towards the goal of net-zero oil.
Marathon Oil Expects ‘Mass Layoff’ After ConocoPhillips Deal Closes
2024-10-31 - Marathon Oil’s merger with ConocoPhillips, which is to close by year-end, will trigger a layoff of more than 500 Houston employees, according to a state regulatory filing.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.