Cyberattacks are one of the biggest threats facing businesses today, and the energy and renewables sector is not exempt. In fact, energy companies frequently make the list of the top 10 industries targeted by attackers. As the industry undergoes massive change, it’s entirely possible that energy companies become an even more enticing target.
There are several reasons the industry is so vulnerable, but chief among them is the large attack surface. Vulnerabilities exist not just in power plants, but in energy transmission and distribution networks, IoT devices in people’s homes; and, of course, in any third-party partners with a weak security posture.
The industry is also undergoing a number of changes, including a move to renewable energy and digitization, both of which could make the energy sector more vulnerable. Additionally, profits are soaring. Without a doubt, that will attract the attention of potential hackers.
The energy sector also presents some unique opportunities for exploitation due to the nature of the services it provides. Unlike other industries, some attacks on the energy sector might be politically motivated. Any disruption to the power grid or power plants would leave millions of people without power and bring a country or its regions to a grinding halt. There have already been attacks intended to cut off power to whole regions or collect intelligence around the world.
Unfortunately, the energy sector is ill-prepared for a cyberattack. DNV, an independent risk management and quality assurance provider, conducted a survey of more than 940 energy professionals and executives around the world and found that six in ten C-suite respondents feel their organization is more vulnerable to an attack now than ever before, and 84% of respondents feel a cyberattack would cause damage to energy assets and critical infrastructure.
While large billion-dollar energy companies likely have the budget to invest in huge cyber-security departments, what can smaller players do to become more cyber resilient? The answer begins with knowing where the biggest vulnerabilities lie.
Top cybersecurity threats to the energy sector in 2023
The energy sector faces threats that are similar to any other industry. Cybercriminals will attack endpoints, and your employees will be the targets of phishing attacks. But, those parallels aside, there are a few ways in which the energy sector is particularly vulnerable, starting with the state of the industry today.
- Digitization of the energy sector: The energy sector is undergoing digitization, which offers a number of benefits — and a slew of new threats. Though IT security has long been a part of many companies’ cybersecurity plans, securing the systems that monitor and control operations is a new challenge for energy companies. As operational technology (OT) becomes digitized, new points of attack become available to hackers. They can suddenly tap into power grids, wind farms, and pipelines; giving them the ability to disrupt operations of critical infrastructure from afar. This new reality makes it imperative that energy companies come up with a robust cybersecurity plan that protects OT as it becomes digitized.
- SCADA vulnerabilities: There’s one type of OT that is particularly vulnerable to exploitation, and that’s supervisory control and data acquisition (SCADA) systems, which are responsible for managing the industrial networks. Digital SCADA systems present security challenges because they’re often built on legacy systems that can’t receive security updates, making them easy to infiltrate. What’s worse is that the process of replacing legacy systems would likely disrupt service for customers, which isn’t an option most companies would even consider. Due to the dispersed nature of energy distribution networks, these SCADA systems are typically accessed remotely. The DVN survey identified remote access to OT systems among the top three methods for potential cyberattacks on the energy industry. This makes it essential that energy companies teach smart password management and enable two-factor authentication (where possible) to protect their systems.
- Third-party vendor security: There are several actions an energy company must take to secure its systems and data. But if third-party partners aren’t taking the same precautions, companies open themselves to an attack. DVN research found that while many companies were investing in vulnerability discovery, only 28% of energy professionals felt that their company was investing in supply chain security. So it’s incredibly important for energy companies to do their due diligence in ensuring partners have an acceptable security posture.
- Weak device security: Cybersecurity in the energy sector involves more than ensuring power plants and networks are properly secured. There are a number of devices plugged into the ecosystem that need to be secured, and some are outside the control of energy companies. One example is IoT devices with Lithium-ion batteries. These IoT devices connect to the networks and use battery management systems to monitor the device. If these devices have poor encryption or allow for remote access, which most do, they are vulnerable to an attack.
- Employee account credentials: For most businesses, individual accounts with unique usernames and passwords are recommended. This will not only decrease the chances of someone obtaining login credentials, but will also allow the business to identify who might be responsible should a breach occur. However, when it comes to monitoring operational systems in the energy sector, companies can’t lose visibility for even a minute. So asking operators to log on and off at every shift isn’t common practice. These shared accounts, while necessary, pose a security threat.
Why SMEs in the energy sector are at risk
Though big names like BP and ExxonMobil are undeniably susceptible to attack, adversaries don’t discriminate. Small and midsized enterprises (SMEs) are targeted just as frequently. Because small businesses lack the security budgets of larger energy companies, hackers know their defenses are likely weaker. That makes SMEs a juicy target!
In addition to smaller budgets, SMEs also tend to have smaller teams. Consequently, the security and IT roles are often rolled together and assigned to an IT professional. Because IT and security are two entirely separate fields, the IT manager may not have the security expertise required to secure the enterprise. Hackers are aware of this and see SMEs as low-hanging fruit.
SMEs in the energy sector are particularly vulnerable right now due to digitization. As companies learn how to set up and manage new technology, they’re learning the best ways to secure it. And, as that period of trial and error occurs, hackers can find their way in and disrupt operations.
How SMEs in the energy sector can become cyber resilient
One of the first steps an SME should take is to acknowledge that they are vulnerable to attack. It’s not a matter of if an attack happens, but when: they need to be ready to defend themselves when the attack comes. That starts with investing in cybersecurity basics, including email protection, endpoint protection, endpoint detection and response, and privilege account abuse detection. Companies should also invest in cyber insurance and an incident response retainer. This is especially true for the energy sector where getting devices and networks back online is highly time-sensitive.
Unless you have a robust in-house cybersecurity team, you’ll need to outsource at least some of your security efforts to an outside vendor. When you can’t afford to be offline for even a second, you need a partner who can provide 24/7 monitoring and response services. In an ideal world, that partner would also provide the necessary tools and technology needed to secure your organization and review your cybersecurity plan to make sure it’s airtight.
While it’s rare to find such a partner, SolCyber is up to the challenge. Our Foundational Coverage ensures small businesses in the energy sector have everything they need and nothing they don’t. And we can get you up and running in days!
Once you have the right tools and partnerships in place, make sure you get buy-in across your organization on your cybersecurity plan. In the energy sector, employees tend to be dispersed, so it’s essential to clearly communicate security best practices and have a system in place for tracking employee participation.
Ready to become cyber resilient? Reach out to the experts in cybersecurity, to see how we can help.