What Can the Energy Industry Do About Hackers and Cyberspies?

by Bob Shively, Enerdynamics President and Lead Instructor

It seems you can’t turn on the news lately without hearing the latest report about hacking world and computerand cyberspies.  And sadly, digging beyond the news makes it appear that the issue isn’t just media hype.  For instance, Christian Science Monitor recently reported that cyberspies “targeted nearly two dozen U.S. natural gas pipeline operators over a recent six-month period, stealing information that could be used to sabotage U.S. gas pipelines, according to a restricted U.S. government report and a source familiar with the government investigation”[1].

And similar concerning events have occurred on the electric grid[2].  Clearly gas and electric infrastructure companies are scrambling to respond by beefing up security.  This is made more difficult by multiple factors including:

  • much of the IT systems used were designed before security was a high concern;
  • the push for smart grid has resulted in more and more portions of the grid being interconnected and thus potentially vulnerable;
  • and employees are using more and more interconnected devices at work and at home.

So how do companies address cyber security?  The SANS Institute [3], a cooperative research and education organization that works with key government agencies and private organizations, has developed a framework that identifies 20 key steps:

English: A candidate icon for Portal:Computer ...

  1. Inventory of authorized and unauthorized devices on the network
  2. Inventory of authorized and unauthorized software on the network
  3. Set secure configurations for all hardware and software
  4. Perform continuous vulnerability assessment and remediation
  5. Install malware defenses
  6. Only buy new software that is designed for security and replace or rewrite existing software that isn’t
  7. Perform rigorous wireless device control
  8. Build and maintain data recovery capability
  9. Perform security skills assessment for all your workforce and require appropriate training to fill gaps
  10. Require and verify secure configurations for network devices such as firewalls, routers, and switches
  11. Continuously limit and control network ports, protocols, and services
  12. Control use of administration privileges
  13. Maintain boundary defenses between internal and external devices
  14. Continuously maintain, monitor, and analyze security audit logs
  15. Control access based on need to know
  16. Monitor and control employee accounts
  17. Identify, monitor, and protect critical databases
  18. Develop incident response capability
  19. Design for secure network engineering
  20. Perform penetration tests and attack drills

If this sounds like a lot of work, it is.  But the alternative is to risk making the headlines as being the first energy provider brought down by a cyber attack.

About Enerdynamics

Enerdynamics was formed in 1995 to meet the growing demand for timely, dynamic and effective business training in the gas and electric industries. Our comprehensive education programs are focused on teaching you and your employees the business of energy. And because we have a firm grasp of what's happening in our industry on both a national and international scale, we can help you make sense of a world that often makes no sense at all.
This entry was posted in Electricity, Natural Gas and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s