BY CONTINUING TO USE THIS SITE, YOU ARE AGREEING TO OUR USE OF COOKIES. REVIEW OUR
COOKIE NOTICE

Register with us today

and in less than 60 seconds continue your access to: Latest news headlines Analytical topics and features Commodities videos, podcast & blogs Sample market prices & data Special reports Subscriber notes & daily commodity email alerts

Already have an account?

Log in to register

Forgot Password

Enter your Email ID below and we will send you an email with your password.


  • Email Address* Please enter email address.

If you are a premium subscriber, we are unable to send you your password for security reasons. Please contact the Client Services team.

If you are a Platts Market Center subscriber (https://pmc.platts.com), Please navigate to Platts Market Center to reset your password.

In this list
Electric Power

'Cyber hygiene': Reducing human error key part of fight against digital attacks

Electric Power | Natural Gas (European)

EEX CEO says European power market confidence returned H1 after 2017 dip

Electric Power

Platts Market Data – Electric Power

Commodities | Electric Power | Metals

Battery Metals Conference, Inaugural

Electric Power

Vectren plan to retire most coal-fired generation criticized by Indiana consumer counselor

'Cyber hygiene': Reducing human error key part of fight against digital attacks

Washington — To protect US energy systems from a continuous barrage of cyberattacks, policymakers and industry players are homing in on a non-digital defense system: improving people's awareness and changing the way they think about cybersecurity.

Not registered?

Receive daily email alerts, subscriber notes & personalize your experience.

Register Now

As attackers change their targets and strategies, addressing the human element of cyberrisks is essential, according to US Federal Energy Regulatory Commission member Neil Chatterjee.

"You can have all of the best and fanciest equipment and the best threat intelligence, but if the employees in your organization don't adhere to basic cybersecurity practices, like not clicking on suspicious links, then all that work is for naught," Chatterjee said. "This kind of focus on basic what I call cyber hygiene is something we are going to need to ingrain into ourselves as a society as we become more connected and therefore more vulnerable to cyber threats."

OPERATION TECHNOLOGY

Bruce Walker, assistant secretary for the US Department of Energy's Office of Electricity, said cyber threats to the energy sector were long focused on the information technology side of the industry, but attention has increasingly turned to operational technology. The IT side includes digital communication, data and other material that is connected to the internet in some capacity. The operation technology side has the systems that manage the movement of electrons through the grid and molecules through pipelines.

Even with more attention going towards operational technology, the techniques being used by hackers are often the same in trying to find an entry point into the system, Walker said. This has kept an emphasis on educating power sector employees and addressing the human element of risks to the grid.

DOE's Cybersecurity Capability Maturity Model program "gets into people not opening emails that are unknown and being a bit more sensitive to anything that could give anybody access to their systems," Walker said of the public-private partnership developed to aid big and small companies with evaluating, prioritizing and improving their cybersecurity capabilities.

At Southwest Power Pool, employee education and the type of shift in mindset that Chatterjee advocated are already in play. Employees are not only told about phishing but tested with programs to see if they would fall for schemes, according to Barbara Sugg, SPP's vice president of IT and chief security officer. "The concept of 'see something, say something' is prevalent here."

STAYING UP TO DATE

For companies and regulators alike, keeping up to date on the continuously evolving nature of cybersecurity is at the heart of defending against cyber threats.

To aid this effort, DOE established a distinct Office of Cybersecurity, Energy Security and Emergency Response, or CESER, to more acutely focus on near-term, actionable ways to mitigate threats to the grid. Walker is currently serving double duty as acting assistant secretary of CESER. Karen Evans, the national director for US Cyber Challenge, is awaiting US Senate confirmation to become the permanent head of the new office.

Information sharing can be a double-edged sword, however. There are "countless" information flows identifying cyber threats and so-called indicators of compromise, according to John Bryk, a cyber and physical threat intelligence analyst with the Downstream Natural Gas-Information Sharing and Analysis Center. The deluge of information can be challenging to sort through.

Cyber strategists and analysts have to be judicious with the parameters they set up to filter these feeds, striking a balance between winnowing down the information to find what is useful and inadvertently excluding relevant threats.

THREAT ANALYSIS

"You have to do an intel threat analysis and figure out what it really means to you and to the members [of your industry]," Bryk said. "Out of all those threats, all those billions of bits that come across every day, hopefully we are hitting the right one."

Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, noted that industry is using a risk matrix that allows all threats to be considered and approached differently. Industry squashes high-likelihood, low-consequence attacks on a daily basis from less sophisticated hackers' efforts to access the network.

But high-consequence, low-likelihood events involve near-peer nation-states and other advanced threat actors that necessitate partnering "really closely with the government," said Aaronson, who also serves as secretary for the Electricity Subsector Coordinating Council. The council is the main liaison between the federal government and power sector to help monitor threats, share information and prepare for potential future disruptions to the system.

"We do have to give that an awful lot of attention because at the end of the day our only responsibility as critical infrastructure providers is to provide a reliable product to support national and economic security," Aaronson said.

-- Jasmin Melvin, jasmin.melvin@spglobal.com

-- Sarah Smith, S&P Global Market Intelligence, sarah.smith@spglobal.com

This is the third feature in a three-part series on cyber security in the energy space. Read Part 1 here: Energy industry faces unprecedented cyber threats almost daily, and Part 2 here: With cyberattacks inevitable, energy sector focuses on response