Prescriptive Security: a new way to safeguard energy companies
Organised crime groups, often in cahoots with corrupt states, pose a serious threat to energy companies. Hacking and malware have been commoditised, so companies that once thought cyber attacks were only about stealing money have discovered that ransomware, data deletion and other destructive system attacks can damage reputations and bring operations to a grinding halt.
Energy is a highly regulated industry where keeping systems available, resilient and secure is a mission-critical requirement. Companies struggle to maintain and modernise extensive legacy hardware and software, some of it difficult to replace. Rapid implementation of connectivity between industrial control systems means that devices that were never previously vulnerable are now routinely being hacked. Older systems and legacy protocols also make it harder to detect cyber threats.
Energy organisations operate globally, with infrastructure and processes spread across differing geographies and company boundaries. This makes it harder to gain an integrated view of cyber resilience across an organisation.
Such companies don’t operate in isolation: they have well-established, complex and flexible supply chains. Attackers use ‘supply chain infiltration’ techniques to target business by targeting their suppliers and partners. In parallel, the energy sector faces a shortage of cyber skills in the locations most needed to support legacy infrastructure.
Legislation, notably the General Data Protection Regulation (GDPR), means that energy companies must consider security as a Board-level risk by understanding the threat facing their data and make defensible decisions to secure their networks. The UK’s National Cyber Security Programme (NCSP) helps energy organisations understand how to build security into the development of next generation of internet-connected services through the ‘Secure by Default’ initiative.
Finally, businesses often find themselves locked into legacy security products, making it difficult to respond quickly enough to the evolving cyber threat with long-standing, inflexible contracts often written years before security became mainstream.
Meeting the challenges
To protect their reputation, energy companies must invest in digital ways of working to safeguard sensitive data, not just protect critical national infrastructure as systems. They need to evaluate cyber risk based on evidence. That evidence comes from security monitoring systems capable of spotting suspicious behaviour with actionable intelligence about threats.
Prescriptive security stops breaches from happening by using big data analytics techniques to provide earlier visibility of threats before they become incidents. Automated incident response procedures can contain data breach information – thereby reducing time to react and recover operations.
Evidence-based decisions are key to reducing cyber risk as business outcomes, not individual security products, alongside solutions that integrate monitoring technologies with automatic response procedures. This is cyber resilience-as-a-service and removes the need for organisations to resource this themselves.
Happily, we have arrived at a best of breed integrated solution that leverages investment from recognised global cyber security leaders combined with deep internal talent, meaning CIOs can sleep soundly.
Looking to the future
Energy organisations need to effect a change in mindset. Whereas traditionally security was perceived as a blocker to change, it should instead be viewed as a powerful enabler for digital transformation. Investment in cyber security also offers energy companies an opportunity to achieve their digital ambitions by unlocking the hidden value of data siloed across legacy infrastructure.
Our research has shown that consumers expect energy companies to deploy effective and proportionate security to safeguard their data, not just critical national infrastructure. Consumers will vote with their feet by switching from energy suppliers who fail to meet their obligations. New market entrants operating greenfield infrastructure based on renewable energy will continue to disrupt the market unless established players overcome the cost/risk of legacy systems.
Energy as an industry has safety at its heart: its safety-first culture surrounding the core product is integral to everything it does. Safety and security go hand in hand – the risks of one affect the other. Effective cyber security is a critical component of a digitally enabled energy market and is the responsibility of everyone involved in the industry.
Atos has partnered with Siemens to provide a solution for converging information technology with industrial control systems to spot security trends across legacy infrastructure. This solution uses analytics to diagnose patterns of anomalous behaviour hidden in old protocols for manual investigation or remediation which can be subsequently automated for onward processing based on real-time interpretation of risk.
Digital Vision for Energy and Utilities
This article is part of the Atos Digital Vision for Energy and Utilities opinion paper. We explore the potential of digital transformation to help energy and utilities companies power a new era for UK businesses and homes, amid profound and rapid change across the industry.