Cybersecurity experts are concerned that energy companies have not uniformly adapted to the volume and sophistication of threats to critical infrastructure, leaving the industry exposed to attacks.
While some enterprises, especially the larger ones, have tackled their cyber vulnerabilities, many small to medium companies need more protections on their systems, said Leo Simonovich, vice president of industrial cyber and digital security at the industrial conglomerate Siemens.
"Energy is the most attacked vertical of all critical infrastructure. It's increasingly connected, but at the same time, most companies are not ready to address this," Simonovich said during a panel discussion at the World Gas Conference in Washington, D.C.
The central challenge for the sector is to be able to improve visibility, he said, noting that companies often do not have a full grasp of what their vulnerabilities are. "We talk about these threats, and you can sort of throw up your hands and say: 'You know what? I don't know what to do about this.' And in fact, most of the operators have done that. There's not the confidence to address the fundamentals."
'The gas grid is particularly vulnerable'
Given the interconnected nature of gas pipelines, it is possible for a cyber breach to percolate through multiple systems, potentially even jumping across different kinds of systems, depending on the design of the threat and protections in place, Simonovich said. "You have to look at the interdependencies of the companies that are working together, and the gas grid is particularly vulnerable to this because it's distributed but it's also connected."
Information technology, which tends to include the office-based parts of a business, and operation technology, which encompasses much of the assets in the field, have increasingly converged in energy companies, especially in the midstream segment, Simonovich said. Describing this coalescence as a part of the "perfect storm" for a major breach, he said the convergence has not always been accompanied by appropriate cybersecurity protocols.
As the cyber and physical parts of energy systems have gotten more intertwined, the departments within companies that oversee them have not, said David Blanco of industrial control system-focused Automation Solutions Inc., or Autosol. Blanco is Autosol's director of security for supervisory control and data acquisition, or SCADA, systems, which are used to operate and monitor pipeline, power and other industrial infrastructure.
Blanco said that in his experience, pipeline operators who work daily with SCADA systems are rarely able to name SCADA-related cyberattacks. This contrasts sharply with the operators' familiarity with more physical system failures. "I think that there's a knowledge gap between the actual people who have to run these pipelines and the cybersecurity professionals," Blanco said during a panel discussion at the conference.
Part of the challenge for energy companies is the lack of in-house cyber defense experts, Scott Doyle, CenterPoint Energy Inc.'s senior vice president of gas distribution, said at the conference. He pointed to a "shortage of talent" available in cybersecurity, noting that not every company can hire its own expert.
Even with limited access to cyber personnel, companies should not over-rely on technological solutions, said Galina Antova, co-founder and chief business development officer at cybersecurity company Claroty. To understand the proper role of technology-based cyber protections, companies first need to evaluate their risks, she said during a panel discussion at the conference.
"A lack of evidence is not the same as evidence of a lack of attackers in your network," Antova said. "Just because you don't have an alert on your dashboard that says, 'Russia is in my critical infrastructure network,' doesn't mean they're not. It just means you have zero visibility."
Antova recommended government regulations requiring companies to conduct fundamental cyberrisk analyses to level the playing field among operators and minimize risk to the industry and the public it serves. Blanco, who participated in a different panel, also pushed regulations as the most effective way to advance the industry's cyber literacy and preparedness.
Regulations would likely be a tough sell to the industry, however, Blanco said.
"There won't really be cybersecurity to the level we want it without some kind of big government intervention. And there won't be big government intervention ... without some kind of cyber 9/11," he said.