How Government Agencies and Utilities Can Improve Energy Security
Energy companies face a daunting challenge: They must detect and deter a continuous barrage of cybersecurity threats while providing uninterrupted service to ensure the health, safety and economic stability of the U.S. But energy security improvements can become streamlined when government agencies and private utilities work together toward solutions.
Emboldened by widespread deficiencies in energy security, cyberthreat actors routinely attack the systems controlling the country’s electric, gas and oil resources, thus threatening the welfare of millions of people. The intricacy of the energy sector makes it vulnerable. To complicate matters even further, as energy companies upgrade old technologies to improve services, they simultaneously expose their newly connected systems to increasingly sophisticated and frequent cyberattacks.
Improving security won’t be as easy as flipping a switch, but with government assistance and an honest accounting of their technologies and procedures, energy companies can harden their defenses and lessen the chances of a doomsday scenario.
The State of Energy Security
As The Houston Chronicle reported in a recent investigative series on energy security, most of the 350 incidents at utility companies between 2011 and 2015 originated from cyberattackers infiltrating control systems. During that period, the U.S. Department of Homeland Security identified nearly 900 security vulnerabilities in energy companies.
Other cybersecurity assessments paint a grim picture of security shortcomings. Released in January, the U.S. Energy Department’s Quadrennial Energy Review claimed the nation’s electric grid faces imminent danger from “rapidly evolving threats and vulnerabilities” like ransomware, but so far, the response has only been a “slower-moving deployment of defense measures.”
Grid operators told Bloomberg Markets they’re improving their defenses by continuously monitoring system conditions. But as the National Institute of Standards and Technology posits in a new report, electrical utilities are only now determining the most effective cybersecurity strategies for their complex systems.
Legacy Systems Prevail
The vastness of oil and gas operations creates even greater advantages for sophisticated cyberattackers, according to the Houston Chronicle series. For starters, many oil and gas facilities still use networks run by Windows XP, a 2003 system that Microsoft no longer updates.
Similarly, thousands of interconnected sensors and automated controls that run facilities were designed decades ago without security features. Companies have recently linked devices that monitor pressure, control valves and initiate safety procedures to computer networks and the internet, but those connections expose refineries, pipelines and offshore oil platforms to online threats.
Coordination Can Boost Security
Despite its shortcomings, the energy sector doesn’t have to pull the plug on security efforts. Many strides have been made in the past decade, including a government-led push to strengthen the electric grid’s defenses.
For one, coordinated cybersecurity would be difficult considering that three federal agencies, alongside state and municipal governments, oversee the private sector’s ownership of most power generation and transmission. But in February, the U.S. Government Accountability Office found that despite some fragmentation, 15 separate measures aimed to strengthen the cybersecurity of the grid do not overlap but actually make the system more resilient, according to CyberScoop.
One advancement that came out of this multilevel coordination is a new superconductor cable that can connect several urban substations, enabling multiple paths for electricity to flow if one substation loses power.
But there’s still work to be done. The Quadrennial Energy Review urges electric utilities to increase data collection on cyberattacks, and the Energy Department recommends implementing new technologies to facilitate a multilayered cybersecurity strategy. In addition, the Obama administration recommended building a secure, next-generation electric grid to enhance defense.
No More Sticky-Note Passwords
According to a recent Ponemon study, 61 percent of cybersecurity experts in the oil and gas sector say their organizations lack adequate security technologies. The U.S. doesn’t require utility companies to implement cybersecurity standards, but they can follow a how-to guide developed by the government. Those steps include following the latest cybersecurity measures and limiting unauthorized access — a problem that can be addressed, as The Houston Chronicle learned, by prohibiting the writing of passwords on sticky notes for all to see.
As the many government guidelines suggest, proper energy security requires money, technology and coordination — but the alternative will leave us in the dark.