trending Market Intelligence /marketintelligence/en/news-insights/trending/islk1ovJxi4JbsIUpG0LiQ2 content esgSubNav
In This List

Survey finds operational technology cybersecurity is the 'new risk frontier'

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Using ESG Analysis to Support a Sustainable Future

Research

US utility commissioners: Who they are and how they impact regulation

Blog

Q&A: Datacenters: Energy Hogs or Sustainability Helpers?


Survey finds operational technology cybersecurity is the 'new risk frontier'

Cyberattacks against utilities have shifted towards targeting operational technology systems, according to a survey by Siemens AG and the Ponemon Institute.

"Industrial cybersecurity has become the new risk frontier," said Leo Simonovich, Siemens' vice president and global head for industrial cyber and digital security during an Oct. 4 utility cybersecurity forum hosted by the Atlantic Council in Washington, D.C.

"The frequency of [cyber] attacks targeting the production of electricity, which is a lifeline and backbone of our economy, has increased exponentially," continued Simonovich. "As these attacks become more sophisticated, more potent, [and] more frequent, is the [utility] industry ready to address them?"

SNL Image

Source: Siemens' "Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?"

The Siemens' study, unveiled during the forum, surveyed more than 1,700 professionals in charge of overseeing the security and cyberdefenses of the operational technology systems of electric and water utilities across North America, Europe, the Middle East, the Asia-Pacific region and Latin America.

The results show that the risk of cyberattacks on utilities may be worsening, with 56% of respondents reporting at least one attack in the past 12 months that led to a shutdown or loss of operational data in the OT environment. Another 25% reported having been impacted by "mega" attacks, such as the 2017 WannaCry and NotPetya ransomware attacks, which are usually the work of nation-state-sponsored hackers. In addition, 54% of respondents expect an attack on critical infrastructure in the next 12 months.

Both the study and Simonovich attributed the rise of cyberattacks to technological changes, including the growing use of internet-connected smart devices. The utility industry has also digitized its operations with software tools as power systems simultaneously decarbonize and decentralize through the rapid growth of renewables and distributed generation assets, such as rooftop solar panels.

As the study explained, the deployment of digital and networked equipment by utilities in their operating systems serves as a double-edged sword because they provide greater control and data feedback but give malicious attackers more ways to hack the grid.

In particular, Simonovich said utilities' industrial control systems are exposed to greater cyberrisks as corporate networks become increasingly interconnected in what amounts to an "industrial Internet of Things." As a result, IT and OT cybersecurity are becoming increasingly blurred, he said.

"Now we have to think about this stupid decentralized attack surface and how we secure that," remarked Simonovich. He recommended focusing security efforts on points of convergences and control for the power sector and where resources are deployed.

In addition, Simonovich stressed the need for greater visibility of grid asset operations, not only for power grid operators and utilities but also for software vendors like Siemens so they can recognize unusual behavior in the power sector and provide helpful data to the utilities.

Simonovich was sure of one thing; the power sector's old cybersecurity practice of only securing the perimeter of a network is "absolutely dead, dead, dead."

The forum's keynote speaker Michael Chertoff, who served as U.S. Secretary of Homeland Security during the George W. Bush administration, made a similar observation. He said the continued treatment of cybersecurity as a perimeter issue by some within the utility sector is like France's Maginot Line defense strategy in World War II. "That works about as well as the actual Maginot Line worked when the Germans simply went around it [and] invaded France," he said.

Chertoff offered an example of how "relatively insecure peripheral devices" can expose critical networks to cyberattacks by recalling that "some years back" a foreign nation-state hacked a "well-known Washington non-governmental institution" that had mistakenly thought it had robust cyber defenses. The attackers gained access to sensitive information by first exploiting a thermostat in a remote building that was connected to the organization's computer network, he noted.

Chertoff urged constant vigilance and cyber hygiene as a means for securing the U.S. grid, including regularly updating software patches and practicing due diligence on the ownership of software vendors and equipment manufacturers.