Skip to content Skip to main menu

Industrial device connections are expected to reach 37 billion by 2025 [1]. Such rapid pace of digitalisation comes at a cost, as utilities risk exposure to increasingly sophisticated levels of cyber attack. In our latest white paper, Steve O’Sullivan, Enzen’s Head of Cyber Services, explains the value of taking a holistic approach to safeguarding critical national infrastructure.

steven osullivan.png
Steve O'Sullivan

The growing cybersecurity threat to utilities is a consequence of three major factors. Firstly, there is an increased number of actors targeting utilities. Examples include nation-states seeking to cause security and economic dislocation, cyber criminals who understand the economic value of the sector and 'hacktivists' out to oppose publicly utilities’ projects or agendas.

The second vulnerability is utilities’ expansive attack surface. This is a result of their geographic and organisational complexity, including the decentralised nature of their cybersecurity leadership. Finally, the power and gas sectors’ unique interdependencies between physical and cyber infrastructure make such organisations more vulnerable to exploitation.

eye-ga3c45e787_1920.jpg

The nature of the risk

The cyber threats facing utilities include typical ones that plague other industries: data theft, fraud and ransomware. However, other scenarios that utilities need to be cognisant of in today’s digitalised landscape include targeted supply chain malware attacks, Internet of Things (IoT) vulnerability attacks and the infiltration of industrial IT networks.

Recent studies show 93% of all organisations with OT environments experienced hacking in the past twelve months [2]. Meanwhile, the average energy sector data breach cost has risen more than 13% since 2019 to $6.39 million – a higher cost than the global average of $3.86 million [3].

Moreover, many utilities have weakened cybersecurity for various reasons. These include inherited and immature cyber programmes that either cannot, or only partially, meet the requirements, or a disparate and fragmented asset inventory across all sites. There may also be a disconnection between existing cyber programmes and digital, data and cloud infrastructure, plus a lack of sufficiently trained cybersecurity personnel.

"Cybersecurity is inextricably linked to all other digital and data initiatives, yet many utilities are not accustomed to thinking of themselves as digital organisations. This means they often lack the cybersecurity technologies, systems, personnel and protocols to protect modern industrial operating environments."

Steve O'Sullivan, Head of Cyber Services, Enzen UK

What you should do

There is no magic wand solution to these challenges. But there are some fundamental steps you can take to achieve stronger OT security. Potentially this could be a list of one hundred or more tasks, but it should start with building an ecosystem of protection. In other words, a structured approach that applies communication, organisational and process frameworks along with technical improvements.

Fundamentally, utilities need to recognise that they cannot do this all at once. To begin with, the priority measures are:

cyber-g525760734_1920.jpg

The importance of a SmartCyber approach

Cybersecurity is inextricably linked to all other digital and data initiatives, yet many utilities are not accustomed to thinking of themselves as digital organisations. This means they often lack the cybersecurity technologies, systems, personnel and protocols to protect modern industrial operating environments.

This is where a more holistic SmartCyber approach can prove invaluable. SmartCyber is a metaphor for the fusion of smart technology-based solutions, viewed through the prism of next generation business / societal models and their associated risks. By focusing on the needs of today and tomorrow, utilities can acquire a more long-term, sustainable view of where to target risk reduction measures.

At Enzen, we’ve developed a SmartCyber methodology and framework that brings together established security standards into a new target model. It’s particularly suited to organisations that have OT, ICS/SCADA, IIoT and smart initiatives underway.

Underpinning a best practice SmartCyber approach are four key principles:

  • starting with a holistic OT security maturity assessment and considering the broader SmartCyber (digital, data changes, cloud) elements that form part of the overall cybersecurity risk profile
  • mapping key business functions, roles and asset ownership, prioritising and protecting the most critical assets and systems
  • undertaking a proper risk assessment (not a risk register) and agreeing with IT teams what risks the OT function may face and how to mitigate them
  • developing real, useful metrics that demonstrate improvement.

By adopting these four fundamental steps across OT, digital, data and cloud infrastructure, utilities will have quantifiable confidence they’re better protected against current and emerging cyber threats.

"At Enzen, we’ve developed a SmartCyber methodology and framework that brings together established security standards into a new target model. It’s particularly suited to organisations that have OT, ICS/SCADA, IIOT and smart initiatives underway."

Steve O'Sullivan, Head of Cyber Services, Enzen UK

To discuss the issues raised in this article, contact Steve at steven.osullivan@enzen.com. For more details on our zenSmartCyber solution, click here.

Sources

[1] Industrial IoT: Market Outlook, Technology Analysis and Key Players 2020-25, Juniper Research, November 2020.

[2] 2022 State of Operational Technology and Cybersecurity Report, Fortinet, June 2022.

[3] Cost of a Data Breach Report 2020, IBM Security and Ponemon Institute, July 2020.

About the author

Steve has more than 25 years of experience in cybersecurity, digital transformation and consulting and has an MBA from Staffordshire University. He is one of a handful of people in the UK to be accredited as a Smart Cities and Critical Infrastructure Professional (SCCISP). As well as working in leadership, strategy and operations across cyber and digital, Steven has spent more than a decade as a trainer and as a visiting lecturer at two UK universities. His specialist areas include smart cyber applied to smart cities, utility plants/critical national infrastructure, digital risk, IoT/IIoT, AI and cyber risk, threat intelligence, cyber resilience, privacy, data protection and Security Operations Centres.

To download Steve's white paper in full, complete the form below:

Published: 10 Oct 2022

Last updated: 19 Oct 2022