4 Tips to Increase Cyber Security In Energy Infrastructures
Knowing how to assess risks, put security measures in place, and reduce vulnerabilities will help maximize cyber security within the energy sector.
Air Date: October 14, 2021
Moderator: Martin Durbin, Senior Vice President, Policy, Christopher D. Roberti, Senior Vice President for Cyber, Intelligence, and Supply Chain Security Policy, U.S. Chamber of Commerce, Heath Knakmuhs, Vice President and Policy Counsel, Global Energy Institute
Featured Guests: Angus King, United States Senator, Maine, Jim Langevin, U.S. House Representative, Robert M. Lee, Founder and CEO, Dragos, Tom Fanning, CEO, Southern Company, Trevor H. Rudolph, VP Global Digital Policy and Regulation, Schneider Electric, Betsy Soehren-Jones, Director, Exelon, Jonathan Tubb, Senior Director, Siemens Energy
Due to increasing cyber attacks and breaches across the world, the private sector must increase cyber security measurements, with cyber vulnerabilities that need to be reduced. In order to increase the protection of data and resources, private sectors and the government should create a collective defense.
In a recent EnergyInnovates event from the U.S. Chamber of Commerce, several experts in the energy and security sectors spoke on a panel about the importance of cyber security in energy infrastructure and how the government and private sectors can work together to protect and defend critical energy infrastructure.
Digital Security in the Energy Sector Starts at with 'Cyber Hygiene'
The energy sector is highly targeted in the United States, which leaves it vulnerable to cyberattacks and breaches. Maine Senator Angus King explained that cybersecurity starts at the desktop and with the individual using it.
“I think prevention starts at the laptop or the desktop,” King said. “It starts with individual decisions with people not clicking on phishing emails [and] people using a company’s two-factor authentication. Just routine cyber hygiene will prevent something on the order of 85 percent or 90 percent of most cyber attacks.”
King added that the government must partner with the private sector because “a cyber attack can disable the country.”
Risk Management Aids in Maximizing Cyber Security
Part of protecting the country and its data and resources involves risk management. This is done to identify and assess any vulnerabilities or threats to infrastructures, and any that are found are controlled. Congressman Jim Langevin spoke about the importance of risk management in private sectors and how the government can partner with them to maximize security.
“We need an adaptive strategy of risk management,” Langevin mentioned. “That requires that [...] we face the vulnerabilities in our systems that the threat actors could exploit and the consequences of a certain system going down.”
He explained that the Cyber Diplomacy Act would create a bureau for an international cyberspace policy in the U.S. State Department and increase the efforts to engage with foreign countries on such matters.
Detection Is as Important as Protection
Along with protecting data and resources, Robert Lee, founder of Drago, discussed the act of detection is a necessary step in increasing security.
“If you’re only doing the protection thing [...] if you’re just firewalling your system and thinking how much of our guidance is protection [...] that’s not bad,” Lee explained. “But it just means that we’re not getting detection. And if you don’t detect things, you never actually know it’s there to respond to it.”
Similarly, Tom Fanning, CEO of Southern Company, addressed how threats to the grid could impact national security and how the private sector must “re-imagine national security” and take an active role. He listed three ways to do so: shape how threats are viewed, harden defenses and collaboration with the federal government, and arm those in defense with necessary tools.
The Energy Supply Chain Must Be Secured
Larger companies across the energy supply chain are all working to ensure security in each part of the process, from development to end-use.
“Building things according to cybersecurity standards starts [...] with our secure development life cycle,” explained Trevor Rudolph, VP of Schneider Electric. “Looking at things like vulnerability management, source, code governance, continuous monitoring, and testing, ensuring that what we sell to customers is as secure as it possibly can be.”
Betsy Soehren-Jones, director of Exelon, discussed the creation of a central repository that would “enable purchasers and manufacturers to streamline the risk assessment process.” She explains that it would make the responses to risk assessments much faster and less repetitive.
Jonathan Tubb, senior director of Siemens Energy, said his company uses a strategy called PSO, or “product solution security officer organization.”
“[It’s] where each one of our products or services has an individual who is responsible for the cybersecurity concepts behind that solution or service,” said Tubb, noting that PSO works to show customers that everything they provide is authentic and secure.