Siemens/Ponemon Research: Are Utilities Keeping Up with the Industrial Cyber Threat?

Home » Blog » Siemens/Ponemon Research: Are Utilities Keeping Up with the Industrial Cyber Threat?
oil & gas OT

 

Recent research by Siemens Industrial Cyber and the Ponemon Institute assessing operational readiness of the global security sector shed light into the OT cybersecurity arena in the Gas & Power industry.

The report, published in October 2019, highlights the avenues in which industrial infrastructure is vulnerable to cyber attacks, and specifically discusses how the cyber attacks are a greater risk to the OT network than the IT one in gas & power facilities.

Notable highlights:

  • Majority of surveyed global utilities say that cyber threats present a greater risk to their OT than their IT environment. Utilities are concerned by the unique characteristics of OT, including a focus on availability, reliability and safety 
  • 56% report at least one shutdown or operational data loss per year. Respondents report crippled operations by causing outages, damage, injury, and even environmental disaster.
  •  54% of respondents say they expect an attack on critical infrastructure in the next 12 months. 
  • 25% of respondents report being impacted by mega attacks, with expertise developed by nation-state actors. Incoming attacks show greater skill in finding weakened entry points, and may be cheaply built with destructive effects as their primary goal

 

RISK:

The majority of respondents agreed that cyber threats are a greater risk in the OT than the IT environment. Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages. Utilities are concerned by the unique characteristics of OT environments, including a focus on availability, reliability and safety.

The risk that cyber attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves, causing even greater consequences for utility sector operators, managers, and executives. 

Respondents reported that 30% of OT attacks go undetected.

4% of respondents reported 10 or more such attacks within the past 12 months. 

The potency of attacks has increased as well. When asked what made management of OT security challenging, the most frequent response was the rise of sophisticated attacks. Because many utilities manage infrastructure critical to daily life, nationstates and other malicious actors have an interest in developing cyber weapons that target utilities. Individuals and criminal organizations may now also have the backing of nation-states, or state-aligned proxy groups, interested in damaging physical assets, and may use potent cyber warfare tools originally developed by nation-states. 

Executives concerned about risk must pay attention to cybersecurity for OT. Utility leaders must recognize that attackers today design threats against utilities with increasing sophistication – both in terms of their destructive capabilities and their ability to identify weak points in security regimes.

The impact of these expanded risks is serious. Cyberattacks can cripple operations that depend on networked and real-time information, and respondents reported fear that outages, damage, injury, and environmental disaster could result from cascading effects on power systems. As the utility industry’s technologies are increasingly connected to an IT network and a business model dependent on their continuous performance, the stakes for OT security increase. This is especially the case as operators must protect distributed power generation assets tens or hundreds of miles from a company’s headquarters.

 

READINESS:

Readiness across and oil & power industry is uneven due to factors including:

  • Technical capabilities to identify threats
  • Internal organizational failures
  • A clear understanding of risk-based best practices
  • Compliances with regulatory regimes

As a whole, and despite improvement in developing regimes to address external and internal threats, the industry remains vulnerable to attack; companies are proving too slow to detect new threats; and are unprepared to recover from successful attacks on OT infrastructure. 

Many organizations reported the following OT blindspots:

  • Lack of Visibility Into Operating Assets
  • Lack of Response Plan and a Slow Response to Past Incidents
  • Zero-day Risks, Often Associated with Global Mega Attacks or Industrial Safety Event
  • Incorrect Belief that Protections Designed for OT are Effective for OT
  • Lack of Investment inTraining And Personnel
  • Human Capital Gaps, Including Difficulty Procuring and Building Industrial Cyber Skills
  • Lack Of Alignment Between OT and IT Security

Smaller organizations reported significantly greater concern in their ability to complete critical cybersecurity tasks, were less confident in their ability to understand the operational implications of an attack, and act based on those alerts.

Respondents noted that significant blind spots remain prevalent across the utility industry, even if using a risk-management approach (which 56% of respondents reported using). Less than one third of survey respondents believed their OT and IT security approaches aligned, which suggests that utilities have a considerable capability gap that can be exploited. 

 

The Challenge of Visibility

The process of digitizing equipment – replacing or adding digital controls to analog equipment – helps utility managers increase their visibility into the operating status of assets in their fleet. Visibility also enhances cybersecurity capabilities by enabling operators to better understand the current status of connected assets. At its most basic level, it means knowing what is and is not connected in the OT environment, as well as how those assets behave to spot potential anomalies. Only by understanding what’s happening in their production environment can operators build the confidence to take proportionate action. 

However, respondents rated their organizations’ ability to achieve comprehensive and continuous visibility of digital assets as low – with organizations in the United States and Europe reporting the lowest level of maturity among the other regions. This should concern leaders in all areas of the utility industry. It is difficult to provide meaningful security on a network when operators do not know what equipment exists within that network.

Exacerbating the visibility challenge for OT security is the common belief that OT systems benefit from isolation. Isolation-based solutions such as “air gaps” are common in IT, but have the additional effect of hampering visibility for OT systems. Respondents mentioned isolated and fragmented systems as the third most challenging aspect of cybersecurity, close behind the sophistication of attacks and the lack of skilled personnel. Air gaps should not be treated as a panacea for OT security, especially when considering the risk of insider threat

 

SOLUTION:

Siemens Industrial Cyber believes that leaders across the industry should start by assigning ownership, checking for the blind spots identified in this report, getting visibility into their own systems, and prioritizing investment in industrial security. Given the rising stakes and escalating threat environment, even leaders at well-prepared organizations need to consider how to maintain readiness at the threat frontier.

Based on common themes among survey responses, Siemens/Ponemon suggest an organization have the following capabilities:

  1. Keep up with changes in technology, business models, and attack modes. Utilities will face attacks that have never been seen before, and you need to be able to answer.
  2. Detect when an attack or other anomaly occurs. Increasing use of digitization offers greater self-awareness of conditions in your systems. AI and big data monitoring are not yet widely adopted, but may help with this challenge in the near and medium-term future.
  3. Respond when an incident is detected. At a minimum, an organization should have a basic plan for responding to cyber attacks that succeed. Knowing in advance which assets to protect, and what priorities will be if an outage or other damage occurs can help teams to restore service and minimize financial and reputational damage.

Report Methodology:

The report focuses on cyber risk in OT environments at electric utilities with gas, solar, wind assets, and water utilities, throughout North America, Europe, Middle East, the Asia-Pacific, and Latin America. The research was conducted to gain a clearer picture of utilities’ existing capabilities, levels of preparedness, vulnerabilities, and strategic understanding of their OT cyber risk.

In total, 1,276 utility professionals responded to a series of questions related to cybersecurity, providing self-assessments on key areas of their company’s technical and corporate readiness to address the increasing threat of cyber attacks. All respondents indicated their job involved securing or overseeing cyber risks in the OT environment.

They described their roles as:

42% – technicians

21% – managers

16% – directors

15% – supervisors

6% – senior executives

Copyright of: Siemens Gas and Power 

__

SIGA provides OT solutions that fit the exact model Siemens suggests using.

We provide 100% un-tampered visibility into critical assets and provide real-time alerts, allowing your team to respond to an intruder before real damage has taken place.

Contact us to discuss what options are available.