What It Will Take for U.S. Energy to Beat Cybercriminals

The stakes have never been higher when it comes to the security of the U.S. energy industry.

As you read this, cybercriminals are seeking out, analyzing and honing in on high-value targets. They’re looking for weakly defended systems that, if hacked, could provide a bridge toward disrupting a broader network of utilities or oil and gas organizations — potentially cutting off essential public services including electricity, gas and water.

This is not merely conceptual. A study of the oil and gas industry conducted by the Ponemon Institute found that 68 percent of respondents reported at least one security compromise. Many of these attacks targeted operational technology (OT). The U.S. Department of Energy reported last year that America’s electricity infrastructure was in “imminent danger” from cyber attacks that are “growing more frequent and sophisticated,” while the U.S. Department of Homeland Security and the Federal Bureau of Investigation recently detected coordinated efforts by malicious actors to compromise critical infrastructure.

Through the eyes of a hacker, OT is not only valuable, it’s vulnerable. Most OT environments were designed to work in isolation. Now, they’re being connected to the outside world, as cyber criminals hope cybersecurity efforts continue to lag behind the speed of digitalization.

Making matters even more difficult, many OT systems cannot be taken offline for patching cycles and updates. In some cases, patching may void a manufacturer warranty.

So, the question now is: What will it really take to secure the energy industry?

For starters, we need to work closely with government regulators in developing standards. On that note, we applaud steps taken by federal agencies to raise the bar for safeguarding critical infrastructure from cyberattacks. The Federal Energy Regulatory Commission has proposed new rules to protect the power grid from cyberattacks. The U.S. Department of Commerce is expected to issue an update to its cybersecurity framework for critical infrastructure early this year.

But new standards would mean a new collective responsibility for systems operators: We have to make sure every company and organization goes above and beyond compliance. Cyber criminals and nation-states are striving for contagion; we need to assess the whole energy value chain and implement a risk-based approach focused on protecting the weakest links.

To be clear, there are the smaller and midsize organizations that lack the same technical capability, staff resources and knowledge as bigger companies. If we can address these weak links, we will lift up the middle and enhance the security of the entire American energy industry.

Our two companies each saw a need to provide clear, easily deployable cybersecurity solutions for the energy industry to protect OT assets. We created a partnership, combining our resources and experiences, because we knew this would help customers achieve better security outcomes in three key ways: by identifying where the greatest risks are; by acquiring the capability to continuously monitor operating systems in a safe, nonintrusive way; and importantly, by building resiliency through passive monitoring and detection.

In an environment where attacks are probable more than possible, every organization needs to proactively develop the tools and capability to rapidly respond and recover in the event of a breach. But broader partnerships than ours – even among competitors – are needed.

Addressing our weakest links, though critical, is not a panacea. If our industry — from energy companies to suppliers — were to make a resolution for 2018, here’s what we think it should be: Let’s come together as a unified force to continually improve the industry’s cybersecurity posture.

As we seek to go above and beyond compliance with government standards, the private sector can still do more than seed new cybersecurity technology and solutions into the marketplace. We can share lessons learned. We can develop an industry playbook of adoptable and proven cybersecurity solutions that secure the middle. And we can work together to ensure these solutions are used out in the field.


Amit Yoran is the chairman and CEO of Tenable Inc. Leo Simonovich is the vice president and global head of industrial cyber and digital security at Siemens Energy.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult