Energy Companies Failing the Cyber Security Challenge
By Ted Curtin
October 26, 2017

One of the most appealing and easiest industries for cyber criminals to penetrate is the public utilities sector. Recent studies about the cyber hacking of public utilities are extremely concerning:
• Homeland Security, found nearly 900 cyber security vulnerabilities in U.S. energy control systems between 2011 and 2015- more than any other industry.
• According to a 2017 Ponemon Institute survey of nearly 400 energy industry professionals, 61% say their companies don’t have adequate cyber defenses for their industrial controls. This is in large part because the control systems that perform critical functions are antiquated.
• The Ponemon Institute study found that 46% of cyberattacks against these companies have gone undetected because of a lack of monitoring capabilities and inadequate staffing.

Many observers might dismiss these alarming statistics with a shrug, saying “We’re all becoming more aware of cyber threats and I’m sure public utilities are doing everything they can to protect their infrastructure”. I can assure you that that is not the case. Having worked for a public telecommunications utility and managed customer support for many gas and electric utilities, I believe there are several reasons why utilities cannot respond to these threats like a normal business would.
•First and foremost, utilities do not employ the best and the brightest technical minds. Each company might have a handful of intellectually curious professionals who stay abreast of the constantly changing IT landscape. However, they are few and far between and generally aren’t going to stay in the suffocating utility culture for very long.
• The cultural makeup of utility company executives and mid-level managers is that saving money is their ticket to job success and advancement.
• Utility company execs don’t like to hear bad news especially if that news is going to force them to spend money. Many times, they are likely to just shoot the messenger rather than take strategic action to avert a potential crisis

The Ponemon Institute found that IT professionals at energy companies are keenly aware that they are a primary target of cyber criminals and 66% of those surveyed reported experiencing at least one security compromise in the past year. Despite their serious concerns, the respondents stated that it was difficult to convey the importance of cyber security to corporate leaders. In fact, Dr. Larry Ponemon, chairman of the institute states that less than 20% of respondents had been able to implement the necessary security initiatives to protect their organization. Amazing- But it only gets worse. Only 28% of those polled confirmed that cyber security was among the top five priorities for their companies. YIKES! – Seriously?

I hope that somebody in Homeland Security has a plan to make these utilities take the necessary steps to secure their infrastructures. Forcing executives to make security a priority should be the easy part. The more complex challenge is actually securing the enormous number of devices and touch points that make up an energy network. Hackers need to exploit only a small number of security flaws in order to wreak havoc. Examples of recent attacks are plentiful and worrisome:
• In 2016, security firm FireEye reported it had found 1,600 vulnerabilities on industrial control systems over the past 15 years. Hackers can use those vulnerabilities to bypass security measures and gain access to an industrial network. Patches were not yet available for 30% of these vulnerabilities.
• A few years ago, independent researcher Eireann Leverett used the publicly available Shodan search engine to find 7,500 industrial control-related devices linked to internet addresses. The majority were vulnerable to attack because they had weak or default passwords. Only 17% of the devices required a user to enter a password.
• A few years ago, hackers hijacked the modems attached to remote sensors owned by two North American utilities companies, after finding them on a public search engine. The hackers limited the use of these devices to directing cyberattacks against other entities. However, the potential was there to take down the hacked company’s infrastructure.

Jim Guinn, global cybersecurity director for the energy sector at Accenture Security says “There’s not a refinery, power generation facility, oil terminal or platform that doesn’t have technology on it that we haven’t been able to infiltrate” Let’s hope security professionals like those at Accenture can help the energy industry step up to the cyber-security challenge. Then we can start worrying about less pressing things like the IoT’s effect on energy sector security:
“A security flaw in Mrs. Smith’s toaster just brought down the Eastern power grid. Film at 11:00.”