Cyber cure can be worse than cyber risk
Every company is going to experience a cyberattack; what’s hard to know is how to prepare and how to respond.
The bigger the company — and the bigger the equipment — the greater the challenge. Protecting an industrial process is a lot more complicated than downloading the latest anti-virus software, and most executives do not know where to begin.
More than half of electric utility executives surveyed by the Ponemon Institute, which studies cybersecurity, said they expect a cyberattack on a significant piece of infrastructure in the next 12 months. Only 42 percent said their defenses were high.
They listed their problems as lack of skilled workers, fragmented control systems and slow detection of system breaches. Only 31 percent said they were prepared to respond to an attack.
Other industries that employ big, computer-controlled machines, including oil and gas, refining and manufacturing, do not rank themselves much better. Part of the problem is that their equipment is designed to last 20 years or more, unlike software, which is replaced every two years.
“The energy vertical really faces what I would call the perfect storm,” said Leo Simonovich, global head of industrial cyber and digital security for Siemens.
“On the one hand, there’s a vast brownfield of assets that were never designed with security in mind,” he told me on the sidelines of Time Machine 2019, an artificial intelligence conference. “On the other hand, the energy vertical is undergoing a massive transformation with the introduction of renewables through digitalization and connectivity.”
Siemens built many of the machines that drillers, refiners, generators and others use for their businesses. The company is trying to figure out how to help their customers defend against hackers.
“Sometimes the cure to a cyber vulnerability is worse than the risk of an attack,” Simonovich said. “If you do a basic vulnerability scan, you can bring down a plant. If you deploy a patch, you can bring down an asset or even a fleet.”
Anyone who uses enterprise software has probably experienced this problem when an update mistakenly takes the entire firm offline for a few hours, or even a day. When a turbine used to generate electricity or a control
system for a refinery is involved, the consequences are more severe.
“Ninety percent of the things that are out there cannot be patched for a variety of reasons,” Simonovich added. “They’re either remote, somewhere in the North Sea or the Gulf of Mexico, or you’ll ruin the production environment.”
Disconnecting the system from the rest of the world, a so-called air gap, doesn’t work in a world where remote operation and cloud computing is the norm. The alternative, then, is creating detection systems that allow control engineers to quickly identify a cyberattack and have the confidence to know how to stop it.
“Get a grasp on what you have, how vulnerable it is, and prioritize that based on business priorities, operational priorities, risk priorities and then actually do something about it,” Simonovich said. “This is where artificial intelligence can really help.”
I find it unfortunate that Simonovich invoked the term AI, which has become so buzzy that many don’t take it seriously. But what he’s talking about is a machine that detects patterns, the kind of digital fingerprints that hackers generate and reveal their presence in a system. This is not an omniscient robotic voice sounding an alarm, it’s about basic analytics.
“In the industrial world, they’re used to analytics,” he told me. “But analytics for security is something that’s new.”
A digital machine trained to detect unusual activity on a specific piece of technology can identify abnormal behavior much quicker than a human, and using a database created from past experiences, recommend the right course of action. But a human must still decide how to react to the suspected cyberattack.
“You have to have domain expertise, and you have technologies that are proven to work,” Simonovich said.
You also need business leaders ready to assess the threat and rise to meet it. Less than a quarter of U.S. utility executives surveyed said their companies monitor their data streams or use artificial intelligence to monitor for cyberattacks.
Most companies are also approaching cybersecurity as a compliance issue, meeting the minimum requirements set by regulators or insurance companies. But we all know that regulators and insurers are behind the technological curve and react to past attacks. They don’t anticipate the next one.
Until boards of directors reward management teams for the number of cyberattacks they defeat rather than waiting to get angry over an outage, the hackers will remain successful. A more forward-leaning approach is required.