The energy and utilities (E&U) industry has been facing an increase in cyberattacks in recent years. These attacks have caused businesses to shut down for weeks as they recover, significantly impacting customers, employees and suppliers. Unfortunately, many E&U leaders don’t know where to begin when assessing and improving their cybersecurity capabilities. In order to help our E&U clients, Baker Tilly has developed the following list of common issues impacting the E&U industry as a starting point to improving your cybersecurity posture and readiness to respond to a cyberattack.
Listening to our E&U clients, one of their highest concerns is related to an outage or disruption in their services. When you consider the impact a cyberattack can have on the availability of services, it becomes a top-of-mind issue. The E&U industry deals with a variety of factors that increase the risk of service disruption, whether due to legacy technology, physical security concerns or Internet-of-Things (IoT) devices. A lapse in security in any one of these areas can cause significant impact to the availability of services.
Recently, we have also seen increased concern from government officials about a cyberattack from nation state actors aimed at disrupting E&U services. E&U organizations should implement a comprehensive risk management program to address these concerns, including asset inventories (hardware and software), risk assessments, baseline security configurations, patch management, vulnerability scanning and incident response planning. Proactive security measures are required to minimize the likelihood of a successful attack but being prepared to respond to an attack is just as important to minimize the impact on services.
Industrial control systems (ICS) and IoT devices have proliferated over networks in recent years and have increased operational efficiency; however, with all the positives also come risks. E&U organizations that utilize these new capabilities should assess the risks they may introduce into business operations. Network connected equipment should be deployed on segmented networks that are protected through firewalls and cannot be directly accessed from the back-office corporate network. Devices that need internet access for monitoring or updates should be tightly controlled through firewall rules, only enabling the specific services and ports that these devices need to function. Far too often organizations don’t properly segment or protect these networks and pay the price when a cyberattack occurs as operations grind to a halt and services outages occur. Ransomware attacks specifically target these networks as it makes the business more likely to pay in order to resume their operations as quickly as possible.
Suppliers can introduce unknown risks to your business, whether directly or indirectly, which can lead to increased risk of impact from a cyberattack. E&U businesses should develop a third-party risk assessment process to assess the security risk related to a specific supplier. Risks include sharing customer data with that supplier and how they plan to protect that data, or giving that supplier access to your systems and how they plan to protect that access and your operations. Additionally, if you are utilizing a third-party for software, whether you deploy that software internally or it is hosted within their environment, you should be assessing the security of their software through requesting SOC reports or through your own internal vulnerability scanning processes.
We have all heard the saying, “hope for the best, but plan for the worst.” That is exactly what organizations do when developing a business continuity (BC) and disaster recovery (DR) plan. The first thing an organization must do is identify its critical business functions and the supporting IT services and infrastructure responsible for those functions. Then it can assess the impact of those business functions being unavailable for a certain period of time. Next, it can implement proactive measures to backup those systems for recovery if an incident occurs, or implement resiliency capabilities (such as uninterruptible power supplies, generators, redundant HVAC services, redundant internet services, etc.) to minimize the impact when a service is unavailable.
Backups are one of the greatest weapons against ransomware attacks; however, the organization needs to regularly test the restorability of their backups and ensure offline or immutable copies of their backups are kept that will not be impacted during a ransomware attack.
IT operations is responsible for the day-to-day upkeep of the network, systems and applications required to keep a business operational. These activities include system hardening, controlling access to systems and applications, patch management, and many more. However, an organization should also evaluate the effectiveness of its IT operations team through the use of penetration testing and vulnerability scanning. These types of tests help identify improvement areas for the IT operations team and uncover unknown risk areas that the business should mitigate.