Energy utilities are critical to production and performance for both public organizations and private companies. This industry has been historically insular — Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) system were typically secured on internal networks with no outside-facing connectivity. Thanks to the evolution of industrial IoT devices and the need for always-connected monitoring and reporting tools, the energy sector has undergone significant changes over the past decade to boost accessibility and improve operational agility. The caveat? Malicious actors now recognize the potential in disrupting utility IT to wreak havoc, steal data or demand ransomware payouts. Just as energy companies have embraced the need for next-gen technologies to empower business success, they now must upgrade utility cyber security to short-circuit IT attacks.
Cyberattacks in the energy and utilities sector are on the rise. In fact, recent data found that lateral movement and internal reconnaissance behaviors were seen at higher rates across energy networks than other industries on average. Two factors conspire to drive this increase. One is the rapidly-expanding interconnections across utility systems as companies look to leverage data from mobile and IoT devices. The other is the historic lack of high-level cyber security for electric utilities. This creates a perfect opportunity for hackers. Systems that are considered secure now offer ease of movement across utility networks to access key operational systems. At the same time, many energy enterprises lack the IT infrastructure necessary to detect, isolate and remediate new threats. Insider risks are also on the rise as individuals with privileged access offer a secondary route to utility compromise. Phishing attacks, business email compromise and lacking encryption of critical data conspire to reduce overall network security.
Powering up Cyber Security for Electric & Gas Utilities
To address the growing impact of malicious external threats and accidental internal compromise, organizations need purpose-built cyber security for energy & utilities. At HALOCK Security Labs, we can provide services including:
- Penetration testing — Where are your weak points? What, if any, vulnerabilities have new devices or open-source solutions introduced? Our experts can assess your internal and external networks, web applications and wireless connections to develop key security strategies. Incorporate a remediation verification pen test to confirm everything is fixed. Consider a Recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
- Security engineering — What’s your “as-is” security posture? What’s your “to-be” security aim? We have the industry experience and expertise necessary to help design and implement utility cyber security that addresses current issues and speaks to emerging needs for cyber security in the energy sector. Conduct security architecture reviews, threat monitoring, or sensitive data scanning. Ensure you have the security safeguards required by compliance requirements like multi-factor authentication (MFA) or a web application firewall (WAF). An ongoing review of your threat landscape is a best practice for your industry through a managed detection and response program (MDR) or Threat Hunting Program.
- Workforce management — Finding the right talent isn’t easy, and it’s getting harder as the cyber security skills gap widens. Our executive, full-time and contract hiring services help find the best-fit professionals for your needs.
- Incident Response – When a breach does occur, you need to address the attack immediately, contain it, and remediate the threat. Having a trusted, expert incident response team to stop, fix, and an ongoing incident response plan (IRP) to keep your data secure this includes training, run books, and live breach response teams. HALOCK’s incident response management, process, and planning provide comprehensive coverage in the event of a security breach. Cyber insurance requires you have a written information security program (WISP) and incident response plan (IRP). Conduct a forensic analysis. Explore an ongoing program that gets in front of any potential threats or attacks. You can be response ready with an Incident Response Readiness as a Service (IRRaaS) program.
- Third Party Risk Management (TPRM)/Vendor Risk Management – Ensure third-party partners are aligned with your organization’s risk controls. Vendors and contractors serve as an extension of your group. They represent you and should operate under your specific energy/utilities business requirements. A required best practice is to always conduct a supplier risk assessment to keep your vendors on point with your security posture. HALOCK can help build and manage a specific program for your secure environment.
- Risk Assessments – Regulations require your safeguards be reasonable to your organization, customers, and partners. With many frameworks available, how do you establish your acceptable risk? The Duty of Care Risk Assessment (DoCRA) helps you define a balanced security strategy factoring in compliance and safeguards based on your specific business and objectives.
- Risk Management & Security System Management: Our experts have the industry knowledge you need to prioritize and optimize security investments while keeping you compliant. An ongoing risk management program provides continuous maintenance and insight on your risk profile and how to enhance your security. Establish ‘reasonable security’ as regulations require. Mitigate your risk and prepare for your cyber insurance underwriting process.
- Privacy – CCPA is the most sweeping legislation to date in the U.S. that concerns the protection of personal information. It broadens the definition of what constitutes personal information and gives California citizens greater control over what companies can do with their personal data. This includes the right to exempt their own personal information from being shared or purchased on the open market. Understand the impact this change and other states’ requirements have on your organization – on personal information and medical data such as biometric or genetic records. Know what private information you manage and where it is located to properly secure – conduct Sensitive Data Scanning as a Service (SDSaaS) to ensure you have a current data inventory of sensitive information.
- Policies and Procedures – The industry is changing, and so should your security protocols. According to 2020 Midstream Oil and Gas Cybersecurity Survey, “40% reported an attempted or successful data breach in the past year, but only 7% updated their written security policy during the same period.” It is best practice to reassess your processes for any new cyber threat or attack. Proactive efforts are what will help navigate potential breaches.
- Cybersecurity Maturity Model Certification (CMMC) Readiness – Prepare for the new CMMC certification requirement to continue working with the Department of Defense (DoD) or to bid on projects with the DoD.
- Compliance – Achieve your regulatory compliance requirements for HIPAA, PCI DSS, CPRA, GDPR, and more.
Cyber security in the power sector now lags behind industry implementation of new technologies. While digital transformation empowers real-time energy monitoring and power controls, it introduces the potential for IT security shocks as attackers leverage insecure infrastructure to exploit newly connected networks.
“HALOCK always met our project goals.”
– Energy Services Company
HALOCK Security Labs helps prevent security short circuits by combining thought leadership and diagnostic capabilities to build purpose-driven solutions. The actionable outcome is reasonable security and appropriate risk management that protects critical assets without negatively impacting performance. Learn about our comprehensive approach to risk with our Risk Management Program.If you want to safeguard critical infrastructure and empower your operations with improved utility cyber security that’s reasonable and appropriate, let’s talk.
Reasonable Security is Now Defined
The Sedona Conference – an influential think tank that advises attorneys, regulators, and judges on challenging technical matters – just released its Commentary on a Reasonable Security Test. The Commentary is the first document of its kind that provides the legal community with a clear definition of a “reasonable” security control.