Cyber security challenges for the energy utilities sector
The energy utilities sector is considered critical national infrastructure, which makes it a tempting target for both cyber criminals and state actors with ill intent. When looking at the historical figures, the number of attacks against energy utilities companies in Europe are ramping up. In 2018, there were only two attacks that became publicly known, in 2022 that number had risen to twenty. Since 2015, there have been 48 documented attacks where 31 were ransomware attacks and 15 affected Operational Technology (OT) networks. There will most likely be more as the industry experiences convergence of IT and OT systems.
Current energy utilities infrastructure consists of flat networks and legacy platforms, some of which can be up to 20 to 30 years old. Many of the IT systems are based on older versions of Linux or older operating systems with many known vulnerabilities. The industry is also known for not being as good as some of the other industries when it comes to frequently applying the latest updates. On the other side, digital transformation is slowly making inroads, combined with Internet of Things (IoT) and Artificial Intelligence (AI) for automation, and all of it makes cyber security that much more challenging but crucial to manage. Demand for cyber security in this sector is often understated but urgently required. And a broad-brush cyber security approach will not work for energy utilities, it needs a different approach and shift in mindset.
Companies in the energy utilities industry must also secure compliance to national as well as regional regulations such as those outlined in the NIS 2 directive that will come into effect in October 2024 when member states must incorporate the directive in national law.
NIS 2 Directive – What’s New?
The aim of NIS 2 is to help European entities to tighten their grip on cyber security to defend critical infrastructure against supply chain vulnerabilities, ransomware attacks and other cyber threats. There will be stringent enforcement of the directive including mandatory reporting of incidents within 72 hours as well as mandatory appointment of a Chief Information Security Officer (CISO). Failure to comply with NIS 2 can lead to costly sanctions while at the same time, the executive teams can be held personally liable for any infringements. For critical infrastructure like Energy Utilities, not only the large organisations but even the smallest entities in the supply chain and independent contractors will also be covered under NIS 2 regulation.
So, what can the energy utilities sector do to improve cyber security? The first action should be to realize that it is not a question of if, but when an attack will happen. And how to control the damage when a breach happens, something we refer to as ‘blast radius’ in the industry’s context. Cyber security is moving towards the concept of Zero Trust, which is based on ‘verify everyone, trust no one’ mantra. This is applicable to all businesses across industries including energy utilities. In fact, NIS 2 Directive also refers to it in its guidelines. As Zero Trust is based on verified identity, it should also help Energy Utilities companies to secure access to their networks for contractors and third-party vendors in their supply chain.
Zero Trust and Zero Trust Network Access (ZTNA)
A Zero Trust approach keeps identity in its centre and defines privileges based on user/ device role and provides access based on requirements and is dynamically managed. If an attacker manages to get access to the infrastructure, zero trust will provide mitigation by limiting access to other parts of the network and thereby reducing the potential damage from the attack.
When it comes to implementing zero trust, there could be different ways to do it. Zero Trust Network Access (ZTNA) is one where identity and network security combine. You can read more about Zero Trust and how it works in our blog post.
For the energy utilities sector, there are some specific activities that will help to plan to move towards zero trust and in turn become NIS 2 complaint:
- Gather information before making any changes
- Analyse data transmission to identify connected devices and networks
- Form cross-functional security groups, which should include people from IT, OT, security and major departments where users would be most impacted by the changes
- Apply policies based on information gathering between security groups.
- Restrict user access to only necessary resources using authentication policies from existing and gathered data.
Contact us today (link to the Contact Us form) to discuss your requirements. You can also watch the recording of our recent webinar on ‘Decoding NIS2 Directive and Zero Trust for Energy Utilities’.