From left, speakers Anton Dahbura of Johns Hopkins University, Nathalie Marcotte of Schneider Electric and Juan Torres of NREL, and moderator Daniel Kennedy of S&P Global. (Source: Hart Energy)
Cybersecurity’s constant evolution to ward off threats keeps companies on their toes — but a focus on people, technology and process can help with awareness and minimize the threat landscape.
During the Cybersecurity in Energy session on March 6 at CERAWeek by S&P Global, industry experts said there are more potential entry points for attack than ever. Attackers often go after the softest targets, which means the network is only as safe as its weakest link. And artificial intelligence (AI) will drive more evolution in the cybersecurity universe.
Nathalie Marcotte, senior vice president and president of process automation at Schneider Electric, said companies are digitizing to gain more visibility of their data and increase operational efficiencies. Digitization means potentially exposing that information to hackers.
“You cannot digitize and then have a shaky backbone on cybersecurity,” she said. Cybersecurity “goes hand in hand in the digital transformation journey they’re taking.”
With hacks now commonplace — on Feb. 28 the U.S. Marshals Service fell victim to a cyberattack — people are also much more aware of the need for cybersecurity now than they have been, she said.
“15 years ago, we had to tell our clients, ‘you are under attack.’ You don't have to have this conversation. Nowadays people are aware that they're at risk,” Marcotte said.
The key elements to focus on when it comes to cybersecurity are “the people, the technology and the process,” she said. “Good process, good training of your talent and (let the) more technical people deal with the technology, but between the three you can address it.”
Anton Dahbura, executive director of the Information Security Institute at Johns Hopkins University, said companies need to have better cultures that are security-aware from leadership down.
Cybersecurity awareness evolves
For a time, companies didn’t know to ask for cybersecurity, Juan Torres, associate laboratory director for energy systems integration at National Renewable Energy Laboratory (NREL), said.
Around the turn of the millennium, when NREL asked utilities why they were not requesting cybersecurity in their systems, “they said, ‘well, the vendors aren’t providing it,’” he said. When NREL asked vendors why they weren’t adding more security into their products, “they said, ‘well the customers aren’t asking for it.”
NREL re-approached the utilities, saying, “Now these vendors are telling us they're not putting this in because you're not asking for it. Why aren’t you asking for it?” Torres said. “And they said, ‘Because we don’t know how.’ That’s what it came down to. It was really eye-opening.”
It is costly for the utilities to retrofit security, he said, so it’s better to include it from the outset.
“You have to start early. Adding security after the fact is always more expensive, and it's always a bigger challenge,” Torres said. “The earlier you can get into the design concepts, the strategies for these systems, then the better they are.”
More risk ahead
One of the big concerns is the vast number of potential entry points for a cyberattacker, Torres said.
In the energy industry, sensors and devices are increasingly prevalent and closer to the consumer than they have been in the past, he said.
“There are entry points potentially everywhere, not just on the IT side. Look at the supply chain as well, where are we getting any electronic components, any computer network components and all the software,” Torres said. “They're all dealing with the same issues on the IT and OT side.”
As a result, it’s necessary to incorporate that into the understanding, management and protection of infrastructure, he said. In the end, the network is only as strong as the weakest component.
Dahbura said attackers tend to focus on easier targets, so he worries about mid-size and small organizations.
“Everybody's linked together, and the bad guys just go for the softest targets,” he said. “The mid-size companies, small-size companies, they're sitting ducks right now.”
Many attacks are ransomware-based.
“Ransomware is a brutal brute force attack,” Dahbura said. “I believe that there are technological solutions to it. It should be a thing of the past.”
His group recently applied for a patent on such a technology, he added.
What worries Dahbura more is the unknowns in cybersecurity associated with AI.
“We have no idea how to make AI secure yet. We don't even know what the threats are, but we know there are significant threats,” he said.
Recommended Reading
US Hydrogen Concerns Linger as Next Administration Nears White House
2024-12-11 - BP, EDP Renewables, Inpex and Plug Power executives discuss the state of hydrogen and the hydrogen production tax credit.
Air Liquide, TotalEnergies Partner to Produce Hydrogen
2024-11-25 - The hydrogen will be produced and used at Air Liquide and TotalEnergies' La Mède biorefinery in France to produce biodiesel and sustainable aviation fuel.
Energy Transition in Motion (Week of Nov. 29/Dec. 2, 2024)
2024-12-03 - Here is a look at some of this week’s renewable energy news, including a global scaleup of hydrogen and uncertainty in the solar sector.
Gulf Coast, Midwest Hydrogen Hubs Land up to $2.2B in DOE Funding
2024-11-20 - The funding, awarded by the Department of Energy, is part of up to $7 billion the U.S. allocated to establish hydrogen hubs across the country.
Exxon Mobil Targets $2B More Earnings from Low Carbon Solutions
2024-12-17 - Exxon Mobil executives say the pace of growth for areas such as CCS, hydrogen and lithium vary due to uncertainty.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.