MANAGING CYBER RISK IN THE ENERGY SECTOR

R&C: To what extent are companies in the energy sector especially vulnerable to cyber attacks? What makes them particularly attractive targets for malicious actors?

Simonovich: Attacks against the energy sector are frequent and sophisticated. The energy sector is increasingly digitalised, with physical equipment and IT systems now more interconnected than ever before. Optimising for low emissions and for low costs both require digital management of physical assets. Powerful efficiencies result from this digitalisation, but so do attack pathways. Energy infrastructure makes an attractive target because it is high value, both in terms of financial value, and in terms of geopolitical value. Some attackers are looking for financial gain, but some are backed by governments with geopolitical goals. In both cases, energy sector companies are appealing targets.

R&C: What types of cyber attacks seem to appear more frequently within the energy sector? To what extent do different types of attack require different risk management strategies?

Simonovich: Companies in the energy sector need stronger monitoring and detection capabilities than some other sectors, for a number of reasons. First, we are seeing attacks in the energy sector which are designed to compromise infrastructure for later disruption. Attacks are designed to give outsiders the ability to stop or disrupt operations at will. This is a very desirable type of attack for a foreign government. Infrastructure operators should develop capabilities that can detect such attacks in their initial stages and before any damage or disruption occurs. Second, attacks on IT can have consequences for physical equipment. Energy sector companies must be able to confirm that physical equipment is unaffected and safe to operate and must understand how their IT and operational technology (OT) equipment is integrated. As we saw with the Colonial Pipeline, a ransomware attack in one part of an organisation can have cascading consequences; a company might be entirely unable to operate or might be able to deliver fuel but be unable to bill for it. Finally, the energy sector is a tightly networked supply chain. In the electricity business, cascading consequences can propagate at the speed of light. Mitigation must occur at machine-like speed.

Jan-Mar 2023 Issue

Siemens