Navigating The Increasing Complexity of Energy Cybersecurity

Demand for cybersecurity services from energy facility operators has skyrocketed as more high-profile attacks reach headlines. However, the complexity of a landscape now filled with new regulatory norms, standards and methodologies has increased significantly as well, said Bharadwaj Vasudevan, Technical Sales, Hitachi Energy North America.

Vasudevan chooses to limit the concept of cybersecurity in clear terms: “Cybersecurity encompasses all measures taken to protect communication and automation systems against unauthorized access, attacks, disruptions or loss.” He said that companies beginning their cybersecurity journey can easily become overwhelmed by the length of the process. All the more reason to begin the adoption process as early as possible. This is especially the case for energy infrastructure, which is experiencing a digital transformation and a parallel adoption of automation systems. As he puts it, “Moving into the digital era with confidence requires automated, evolving and resilient cybersecurity solutions that can overcome significant challenges.”

Vasudevan explained that the threat environment has increased exponentially. Every novel technology for energy facilities creates a new network of possible vulnerabilities, as well as new ways to exploit old weaknesses. He highlighted that “cybersecurity attacks have continued to increase through 2020 and 2021, as COVID-19 drove cyber espionage activity and created opportunity for cybercriminals.” According to the 2021 ENISA Threat Landscape report, the Phishing-as-a-Service (PhaaS) business model has been prevalent in past years but is now gaining more momentum and relevance. The Ransomware as a Service (RaaS) business model increased greatly in 2021, becoming one of the largest criminal enterprises in the niche. This is particularly relevant to Mexico given the globally infamous ransomware attack on PEMEX in 2019, considered a precedent for this increase of activity and a reference for understanding the 2021 Colonial Pipeline ransomware attack in the US. These attacks are, in Vasudevan’s words, “highly impactful on costs.”

This risk has given rise to many new norms, regulations and standards to verify the shielding of international energy infrastructure. They vary greatly by jurisdiction, but one of the most relevant standards is the US-based NERC-CIP. Compliance with NERC-CIP is referred to by Vasudevan as “a good guideline and binding document when it comes to what an operator can expect in Mexico.” The relevance of each one of the norms within these regulatory packages varies, depending on whether it refers to technical standards to be considered by manufacturers or managerial standards to be heeded by administrators. For example, Vasudevan notes that IEC62351 and IEEE 1686 are more relevant to manufacturers, while IEC62443 (former ISO99), NERC-CIP and ISO27000 are more relevant to organizational processes. 

There are many more norms and procedures. Vasudevan encourages operators to go beyond following simple procedures and ask what motivates their limitations. For example, if a procedure calls for a password to be changed every 90 days, it is important to learn why that period was chosen for that access point. The difference between physical and virtual access points is also key: having an unauthorized person on site is just as much of a cybersecurity matter as anything happening online. Vulnerabilities need to be identified on both sides of that coin. “The convergence of international standards is key for achieving secure and interoperable systems,” concluded Vasudevan.