“In the energy sector, there is an increased number of threats and threat actors all the time, looking to cause disruption,” Steven O’Sullivan, head of cybersecurity at Enzen, said.
Speaking to Current± about the risks to the energy sector from cyberattacks, O’Sullivan said: “The energy sector’s own expansive, increasing landscape is making this so much easier for them to do.”
Indeed, as the sector moves towards an increasingly decarbonised and digitalised system, cybersecurity is an area that must be accounted for, with the threat of cyberattacks very much present.
“Renewables really rely on a big digital footprint and with any digital transformation there is an increased threat landscape. The actual expansive scope of the attack surface is now amplified by the fact that you’ve got digital tech involved, so cloud services etc, and then you’re adding on smart meters, smart sensors, etc.
“That massive digitalisation of the energy sector, built with renewables, amplifies the ability for data to be stolen,” O’Sullivan said.
Indeed, the biggest threats for the energy sector are data theft, ransomware and fraud, with attackers often motivated by monetary gain. In fact, attackers will often operate as a business. However, political motives for targeting a specific nation or sector are also increasingly cropping up.
“I think now that it’s moved away from the individual to being more of a political tool.”
Certain areas of the energy sector are more vulnerable to cyberattacks, with the energy sector overall a much-targeted industry. Indeed, an IBM report in February found that UK’s energy sector was the target of 24% of all cybersecurity incidents in the country last year, making it the most targeted industry.
“If we look at the energy sector, the water services, gas, electric – they are inherently built on legacy systems,” O’Sullivan said.
He explained that these systems weren’t built with security in mind, and are therefore inherently weak as investments into security haven’t historically been made.
“They’ve left it and left it, now they’re trying to bolt it on to existing systems. It doesn’t work,” he said.
Alongside outdated systems and a lack of cybersecurity investment, there are other reasons why the energy sector is a top target.
O’Sullivan said: “Those sectors are easy to attack, because you get a bigger bang for your buck in terms of disruption and dislocation of services.”
Indeed, there is now a convergence between the cyber and physical sides, with cyberattacks capable of affecting physical assets.
“You can nowadays move away from just that logical attack where you can’t log on to the website, to causing a physical manifestation. If you have that motive in mind, you can get a much greater impact.
“The interdependencies and interrelationships between the physical and the cyber are really, really worrying.”
Other areas to be aware of include the interlocked nature of the UK energy sector with the global supply chain.
“When we are connected with a supply chain that extends globally, you’re as weak as they are.
“I think everyone in the energy sector in the UK is really worried about the supply chain; supply chain security is one of the key threats that we face,” O’Sullivan said.
For companies looking to implement cybersecurity, O’Sullivan said the first port of call will always be the government’s official advice. So companies should look at the National Cybersecurity Centre (NCSC) – which he describes as a “mouthpiece of how businesses in the UK should protect themselves”.
Companies should look for best practices in terms of cybersecurity framework compliance, ISO compliance, European network infrastructure agencies and various best practices, which will give them guidance on what they have to do.
However, companies will then have to transpose those guidelines and do a gap analysis to make it real in their organisation. As there will be different levels of maturity between different organisations, an individual organisation will need to take a strategic view, looking at where it currently is regarding cybersecurity, the threats it faces, where it wants to be and how it gets there.
“It is about following the best advice,” O’Sullivan said.
That advice is typically a mix, however, from consultants and the official government view, as well as benchmarking against what peers in the sector are doing.
“It’s a blended model of understanding and knowing where you are now and where you need to be,” he said.