Cyber threats pose a serious risk to energy systems globally, potentially bringing critical energy infrastructure to a grinding halt and disrupting the energy supply to homes and businesses for extended periods. Such disruptions not only have far-reaching consequences for the economy but also directly impact the well-being of consumers.
As the grid increasingly embraces clean energy technologies and transitions to highly automated operations, ensuring robust cybersecurity measures are in place has become an urgent and ongoing priority, so much so that in 2022, the US Department of Energy (DOE) dedicated $45 million in funding to support power grid cyber resilience.
So how is the energy sector faring in the move toward greater cyber resiliency?
Risk data obtained from the CyberGRX Exchange provides valuable insights into the security controls implemented by energy and utility companies, identifying both areas of strength and opportunities for improvement. The data also sheds light on the existing gaps in security measures, which warrant attention and concern. Our objective is to use this data as a catalyst for meaningful discussions between suppliers and organizations, encouraging collaborative efforts to enhance the energy sector’s overall security posture and establish a stronger defense against cyber threats.
Operational Challenges & Cyber Risks Facing the Energy Sector
The energy and utilities sector faces different and unique cyber risks compared to other industries. These risks can be attributed to the following factors:
- Enormous Physical Scope. The extensive network of distribution lines, physical plants, connectors, substations, and other infrastructure components pose a significant challenge in safeguarding the devices and systems utilized by energy and utility companies. The sheer scale and complexity of these physical assets make comprehensive protection a daunting task.
- Magnitude of Impact. Security incidents within the energy and utilities sector can have far-reaching consequences, potentially endangering lives. Events such as water contamination, power outages, or disruptions in gas supply lines can directly impact public safety, making the stakes exceptionally high in terms of human well-being.
- Supplier Involvement. Suppliers play a critical role in performing mission-critical activities within this sector. Third parties are typically responsible for monitoring equipment, billing customers, and managing water treatment processes, among other vital functions. The third-party involvement introduces additional considerations for cybersecurity, as the security posture of suppliers can directly impact the overall resilience and integrity of the energy and utilities sector.
- Outdated Industrial Systems. Energy and utility companies often rely on legacy industrial computer systems that are deeply integrated into their infrastructure. These outdated systems may lack robust security features and are more vulnerable to cyber threats, posing a significant challenge to ensuring the resilience and protection of this critical infrastructure.
While energy and utility providers face significant challenges, they are actively prioritizing cybersecurity measures. CyberGRX data reveals a growing emphasis on implementing controls to safeguard against malicious actors. These measures include security awareness training, social engineering testing, adherence to credential standards, and enhancing network detection and hardening practices.
However, CyberGRX data also highlights the ongoing complexities of securing energy and utility companies. Notably, a substantial portion of these companies is projected to forgo penetration testing, which poses a concern in assessing and strengthening their security posture.
Energy and Utility Cyber Resiliency by the Numbers
To dig deeper into the data, CyberGRX selected sub-controls based on their relevance to particular MITRE techniques related to an Electricity & Biomass industry profile. An analysis1 of over 6,000 companies in the energy and utility industry found both cyber resiliency opportunities and obstacles.
Cyber Resiliency Opportunities
- 100% of energy and utility companies are predicted to have Credential Standards in place
- 100% of energy and utility companies are predicted to conduct Security Awareness Training
- 100% of energy companies and 90% of utility companies are predicted to have Network Hardening in place
- 97% of energy and 88% of utility companies are predicted to perform Network Device Hardening
- 69% of energy and 71% of utility companies are predicted to have Social Engineering Testing policies in place
Cyber Resiliency Obstacles
- 87% of energy and 99% of utility companies are predicted to not have a Server Host-Based Firewall in place
- 50% of energy and 88% of utility companies are predicted to not have a Virtualized Endpoint Host-Based Firewall
- 86% of energy and 90% of utility companies are predicted to not keep a record of the assets owned and how they are being used
- 83% of energy and 74% of utility companies are predicted to not perform Penetration Testing
Takeaways and Recommendations
For decades, compromised credentials, phishing attacks, and network and device hijacking have been common attack methods. Our data indicates that energy and utility companies have essential security controls in place to mitigate these threats. However, outdated SCADA (supervisory control and data acquisition) systems present one of the biggest threats to securing the energy sector at scale.
Originally conceived and implemented in the 1960s, SCADA systems were designed to be remotely controlled with administrative privileges. Today, as these systems interconnect with IoT and ICS devices, used to form the backbone of expansive infrastructure networks, it becomes nearly impossible to identify assets under management, not to mention establish new security protections or fix what is broken. These vintage industrial controls, which cannot be upgraded and are located in facilities too vast to be secured, result in a toxic combination. Understanding these complexities provides deeper insights into the security hurdles faced by energy and utility companies.
Host-Based Security Systems vs. Network-Based Firewalls
Shane Hasert, Director of Threat Research at CyberGRX, notes that many companies won’t invest in the cost or effort to leverage host-based security systems when it is easier, and in some instances just as effective, to use network-based firewalls. Our data predicts that nearly all energy and utilities companies employ some form of a network-based firewall, but putting a “host” on every system would require significant overhead, especially when organizations don’t fully understand all of their assets.
Organizations may also argue that their systems are segmented from the outside world and, therefore, asset and inventory controls are mitigated from network-borne exploitation. However, Deloitte notes that the number of suppliers and contracted laborers providing expertise and skills have expanded over the years to meet a wide range of industry needs. For example, from 2015 to 2020, Exelon’s supplier pool grew by 18%, to 8,000 suppliers. A growing ecosystem means that there are increasing ways for these systems to be penetrated, and to achieve greater cyber resiliency, the energy sector must mitigate the risk posed by their vendors and suppliers.
A critical method for ensuring the security of integrated network components is the integration of penetration testing. However, the industry's predicted shortfall in conducting penetration testing raises significant concerns. Despite the complexities and potential initial costs involved, establishing a robust penetration testing regimen would prove instrumental in identifying and remedying SCADA challenges. Furthermore, comprehensive penetration testing can help offset deficiencies arising from the absence of host-based firewalls. Embracing this essential practice is key to fortifying the security posture of the energy and utilities sector.
In a rapidly evolving landscape of cyber threats, the energy and utilities sector must rise to the challenge of securing critical infrastructure and improving cyber resiliency. While essential security controls are in place to mitigate prevalent attack methods, the outdated nature of SCADA systems presents a significant vulnerability that demands attention. Embracing penetration testing as a proactive measure can expose hidden weaknesses and pave the way for effective remediation. By prioritizing comprehensive security assessments and investing in robust testing practices, the industry can fortify its defenses, safeguard vital operations, and ensure a resilient future for energy and utility systems. It is time to address these security challenges head-on and proactively protect the backbone of our energy infrastructure for the benefit of all.
CyberGRX Data Methodology
1 The predictive data used in this analysis was produced by applying advanced machine learning to data from various sources, including self-attested assessments from CyberGRX’s third-party risk Exchange, firmographic information, and outside-in scanning data from our partners. With up to a 91% accuracy, results can be used to evaluate levels of risk posed by a third party against 13 key security categories established by the MITRE ATT&CK™ framework, allowing organizations to pinpoint outliers that will require further assessments to ensure they meet their security standards. Learn more about CyberGRX Data Methodology for Predictive Risk Profiles.