Anjos Nijk of the European Network of Cyber Security explains the importance of having more energy sector cybersecurity professionals.
We are familiar with capacity gaps in the energy sector. What follows is a statement that I am sure most of our industry leaders would agree with: society needs energy, and demand will only grow. We need more power and to be smarter about how we use it to maintain the security of supply. Now replace the word ‘power’ with ‘energy sector cybersecurity resource’. Would as many people agree? They should, because it’s true.
This resource gap is very real, and it’s crucial we get to grips with it as our infrastructure becomes smarter and more connected. One part of this equation is the skills gap – the shortfall in energy sector cybersecurity professionals – which we have discussed before. However, aside from skills, we need to increase resources and be more intelligent about how we deploy them.
Europe’s energy companies have made real progress on cybersecurity in many ways. While a decade ago, not many board-level conversations would even touch on energy sector cybersecurity needs. As of the present, it’s not uncommon to hear a CEO reassuring stakeholders how seriously they are taking the topic of data security and protection.
But actions speak louder than words, and lip service isn’t enough. Typically, board-members will be accomplished, senior leaders who made their careers in a very different world – a world where security is related to chain-link fences. It’s understandable that they might not comprehend the scale and importance of the threat, besides, they have a lot of other business issues vying for their attention.
What we need are more people with cybersecurity skills on the boards, to ensure it’s at the top of the agenda. The ‘C’ in CISO shows how important they are, and the ranks of chief information security officers (CISOs) in the European energy sector cybersecurity fields are growing, but we still need more of them with greater decision-making power. Cybersecurity needs to be a core component of any utility’s strategy.
Most utilities nowadays do have some talented security people within the organisation; however, very few have enough people, leaving a resource-constrained team to handle a number of competing priorities.
As security regulations and standards rightly make their way into the energy space, teams will find themselves investing time and resources into compliance to address energy sector cybersecurity concerns, while at the same time still dealing with a host of general security tasks.
That would be fine in a well-resourced security team, but in reality, we will see other important projects fall down the pecking order. There will be specific energy sector cybersecurity needs in the utility that go unaddressed because of resource limitations. Investment must therefore increase.
The old OT/IT divide
The operational technology (OT)/information technology (IT) divide is something that will mean little to the man on the street but is extremely familiar in our world. IT systems and OT systems are still very different. They are built by different people with different degrees and worldviews, using different protocols with different purposes. The engineer who designed the transformer in the substation twenty years ago never had an energy sector cybersecurity thought in his head – after all, systems weren’t interconnected like they are today. Likewise, it probably never occurred to the programmer who designed the customer billing system to think about the smart meter communications protocol, as such a thing didn’t exist.
Yet now the worlds are merging. By creating more digital, connected smart networks we bring IT and OT together, and create security challenges in the OT domain that previously belonged exclusively to the IT one.
We certainly need more people in the industry who understand both domains. That will take time. However, companies often make the problem worse by poorly organising the resources they do have across an organisation.
Until now, the IT guys probably had very little interaction with the engineers looking after OT. Yet utilities need to devise ways to bring these people together and to get them talking in order to start creating the blend of knowledge and skills and maximise value from a limited resource.
Security as an afterthought
For well over ten years now, we have heard phrases like ‘end to end security’ and ‘security by design’. The core principle is that security has to be factored in from the start, not tacked on at the end. But this is not happening widely enough in practice.
If you work at a utility and want to trial a new technology or service, chances are you will be working to significant time pressure, lest the competition beat you to market. At this point, many rush to get a pilot scheme up and running to test feasibility, but don’t factor in cybersecurity. After all, it may not be an idea that is taken forwards, so it would be a waste of time and resource to worry about security at this early stage, right?
Understandable, but wrong. Because energy sector cybersecurity cannot just be added on at the end. There may be a fundamental flaw in the approach that cannot simply be patched, there may be too many vulnerabilities to take it to market. The security team, called in as the last consideration, may be in the unenviable position of nixing the whole project, turning away from the idea completely. All that work for nothing.
That is not the role security professionals want to play, but too often it’s the one they have to do and it will continue to be until they are properly consulted from the earliest stages of the project. Again, it will require reorganisation of how companies utilise the limited cybersecurity resources they have.
Reasons to be cheerful?
It’s not all doom and gloom. There is investment into cybersecurity – far more than there ever used to be. This goes hand-in-hand with growing awareness across leadership teams and what starts as lip service gradually becomes sincere as the importance of energy sector cybersecurity becomes apparent.
And the very energy transition that is upping the need for cybersecurity also creates opportunity. Look at all the big utilities fundamentally changing their strategy as a business, spinning out assets and recalibrating leadership teams entirely. There’s never been a better time for radical change – such as putting security experts on the board, for example.
The good news is we are doing a lot of the right things for energy sector cybersecurity. The bad news is, we’re not doing it anywhere quickly enough.
European Network of Cyber Security (ENCS)