By Russ Banham
In today’s increasingly digital world, the secure transmission of sensitive information has become a top priority for both individual citizens and the world’s largest government agencies. Since 90 percent of the U.S.’s power infrastructure is privately held, leading energy companies are adopting cybersecurity practices intended to reduce the impact of any incident that might put energy delivery at risk. However, sometimes these measures fall short.
A universal challenge
On March 19, the computer screens at Norsk Hydro went blank. The giant Norwegian energy and mining company’s IT systems were infected with a new strain of ransomware virus called LockerGoga. The situation was “severe,” Norsk Hydro CFO Eivind Kallevik told a hastily-convened news conference.
The cyberattack had launched in one system the previous night and spread quickly throughout the company’s network, locking up digital files and devices critical to its core operations. As in other ransomware attacks, Norsk Hydro was given a stark choice: pay a ransom to unlock the systems, or pay the price in curtailed production.
In the six years since the first ransomware strain CryptoLocker appeared in 2013, such attacks have become business as usual of the worst kind. Every minute, a private company falls victim to a ransomware attack. These invasions have cost businesses a staggering sum: more than $8 billion each year.
If the targeted company is vital to critical infrastructure, the impact is even more significant. For instance, if an attack compromises the energy grid — the network of synchronized power providers and consumers connected by transmission and distribution lines — everyone relying on it will suffer the consequences in the form of lost power.
Protection and prevention
Taking preemptive steps to combat this grim possibility, the U.S. House of Representatives recently introduced a bill (H.R. 1975) to establish a Cybersecurity Advisory Committee within the Department of Homeland Security. The 35-member committee of cybersecurity experts would make recommendations on the development and implementation of policies to combat cybercrimes, such as ransomware attacks, against the nation’s critical infrastructure.
The energy industry is also stepping up to protect its assets from the damage caused by a major cyberattack, such as the one successfully launched againstUkraine’s power grid in December 2015. Hackers were able to compromise the IT systems of three energy distribution companies, effectively disrupting the supply of electricity to end consumers.
To prevent a similar attack from occurring on American shores, the Federal Energy Regulatory Commission (FERC) issued a final rule in 2018 lowering the threshold for a “reportable cyber event.” The goal of the rule is to improve data collection to better analyze the risk of a cyberattack for defense and response purposes.
The FERC also directed the North American Electric Reliability Corporation, a nonprofit institution overseeing the steadfastness of electric grids across North America, to “augment the mandatory reporting of cyber security incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system,” accrding to the rule filing.
In issuing the final rule, the FERC’s then-Chairman Kevin McIntyre emphasized the fluid aspects of challenges to cybersecurity.
“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” he stated.
New tools on the front lines of the cyber frontier
Today’s energy industry plays a vital role in securing the flow of electricity to businesses and consumers, essentially upholding our modern economy. It’s no wonder, then, that hostile governments, terrorist organizations and private-practice hackers have put the industry in their crosshairs, disrupting the operations of utilities and energy suppliers. The energy sector now rightly recognizes these cyberattacks as a core business risk which pose as much of a threat to large infrastructure as floods or fires.
To help the industry reduce the incidence and severity of these hazards, top energy companies have partnered with government agencies like the Department of Energy—and sometimes even with competitors—to make great headway in improving their cybersecurity practices.
With solutions designed specifically for the energy sector, new innovations make it easier for companies to safeguard vital information and keep operations online. These are not passive endeavors, either. Thanks to Information Sharing and Analysis Centers established by federal law, energy companies can learn from each other, sharing cyber threat indicators and other security information.
New software also assists companies with risk detection, monitoring and incident response by recognizing and understanding the exploits meant to inflict harm. Keeping up with these new attacks or malware through continuous threat monitoring, real-time anomaly detection and immediate malware pattern updates helps companies to stay a step ahead.
Meanwhile, the information gaps that attackers take advantage of in weak security measures can be adjusted for by using enhanced intrusion detection and user authentication to identify suspicious activity. As companies look for guidance on security, comprehensive online training and clearer policy on grid defense solutions can provide the information they need.
Maintaining power and establishing industry-wide trust
Companies that develop cybersecurity solutions are responding to this increasing and changing threat. Mitsubishi Heavy Industries (MHI) has partnered with NTT Group to commercialize a jointly developed cybersecurity technology for critical energy infrastructure control systems. Called InteRSePT(Integrated Resilient Security and Proactive Technology), the technology provides real-time monitoring of data flows in a network and helps to detect cyberattacks specifically designed to exploit operating controls.
Unlike conventional technology, which finds it challenging to spot this type of attack, the system discerns potential threats by changing the security remediation rules governing the operations of the target. These rule changes allow for earlier detections of anomalies, which can be screened to vet potential breaches. By rapidly identifying these threats and responding in kind to halt the damage, the system preserves continuous power generation and availability – with no disruption in service.
“Cybersecurity is a focal area for MHI, and we continue to place importance on developing next-generation solutions in this area,” MHI’s Chairman of the Board and former CEO Shunichi Miyanaga recently stated.
MHI is the first company in Asia to join the Charter of Trust for Cybersecurity, which calls for binding rules and standards to build security and trust in the digital realm. Initiated by Siemens during the Munich Security Conference in February 2018, the 17 company members of the trust (including Cisco, Enel Group, Dell Technologies and IBM) have pledged their compliance with minimum binding cybersecurity requirements, to be anchored by binding clauses in each member’s contracts with customers. These requirements are being finalized now and will be introduced on a step-by-step basis.
The ambitious goal of the Charter of Trust for Cybersecurity is to better protect the digital assets of critical infrastructure, ensuring high-quality cybersecurity throughout the networked environment. Since new forms of malware and viruses rapidly proliferate every day, it’s important to encourage energy industry efforts to work together, and with investigators, on cyber prevention and defense. The security of daily life – and all the infrastructure that powers it – depends on this effort.
Russ Banham is a Pulitzer-nominated financial journalist and best-selling author.