Companies need both a good cybersecurity defense system as well as a playbook for what to do during an attack, according to cybersecurity experts.

As the upstream energy industry becomes increasingly connected through information technology (IT), operational technology (OT) and the Internet of Things (IoT), the number of entry points into a system increases. There are several challenges to planning an effective cybersecurity strategy, and companies must understand their vulnerabilities and the potential damage a successful attack could wreak, as well as have a trained plan for how to respond, experts said during the AWS Energy Symposium on May 5.

Ben Miller, VP of Service and R&D at Dragos, said the threat landscape in cybersecurity is only increasing. The proliferation of connections for OT equipment is one reason, he said.

“You can’t get less connected, that’s just not happening,” he said.

And all of those connections are potential entry points for a cyberattack, he said.

“No adversary is out there saying, ‘I’m not going to attack OT systems,’” Miller added.

Many attackers are now focusing on stealth operations, “moving as quietly as possible in these environments to stay there for a long time,” he said.

Leo Simonovich, global head, industrial cyber and digital security at Siemens Energy, said the company asked people who were responsible for OT about their experiences with cyber threats.

“What we found was really disturbing,” he said. “Most are experiencing at least one major event per year” that’s causing problems, and some are experiencing even more each year.

The points of entry are increasing, and cyber attack strategies are evolving, but there are additional challenges the energy industry faces when it comes to securing their assets and networks.

Miller said there can be limited data collection or analysis of that data, partly because coordination between internal teams can be lacking. That lack of coordination and sharing of information inside organizations can lead to attempts to defend a system in isolation, he said. Finally, if existing information isn’t shared quickly, it can mean a company doesn’t have sufficient time to plan a defense or response, he said.

Simonovich highlighted some other reasons that it can be difficult to secure a network or asset in a “hyperconnected digital space.”

First, there can be a problem with visibility, he said.

“Visibility is the most overused word in cybersecurity,” he said. “But it’s still important.”

That’s because if a company doesn’t know how exposed the network or asset is, it’s hard to protect it, he said. And it’s necessary to identify those vulnerabilities that, if exploited, could have “real-world consequences,” he added.

He cited other factors that make cybersecurity more challenging, such as the existence of brownfield legacy assets. If they’ve been under-maintained for a while, securing those assets can be difficult, especially if they are being connected at an accelerated pace, he said.

At the same time, he said, “the traditional boundaries between OT and IT are beginning to blur.”

A new approach is necessary, Simonovich said.

“Traditional IT approaches have not worked,” he said. “It’s not a technology problem. It’s a strategy problem.”

Miller said a world-class cybersecurity program needs five elements: a defensible architecture, monitoring of the industrial control systems (ICS) network, remote access authentication, vulnerability management programs, and disaster recovery plan.

And Simonovich emphasized that companies need to know how to respond - and train that response, he said. The playbook should guide the company to take a proportionate response to an attack, ranging from mitigating efforts on up to “pulling the plug” as a last resort, Simonovich said.

“You can automate it and simplify it, but you cannot avoid training it,” he said.

While digital controls are enabling a system that’s in flux to operate more efficiently, it’s disrupting companies who are trying to make sense of the digital transformation, he said.

The companies that win, he said, “will have to become more digital and embrace cybersecurity as a core competitive advantage.”