5 key lessons from the scores of cyber attacks on the nation's power grid
In recent months, sophisticated hackers have been carrying out broad scans of dozens of U.S. power grid targets, apparently looking for ways into these networks. These appear to be the same hackers who unleashed the Triton malware designed to disable the safety instrument systems at a Saudi Arabian oil refinery in 2017.
What are the five things CEOs and other C-Suite executives should take away from these incidents? Considering the increasing sophistication and potential consequences of these attacks, organizations should embed and orchestrate new levels of visibility, communication, technology, preparation and remediation.
Let’s take these equally important measures one at a time. While I will focus on natural resources and energy, because that’s my area, these are lessons that can help almost every industry.
Visibility: It is very difficult to protect your organization from security threats that cannot be seen. But amazingly, far too many companies lack true visibility into their operational networks, and even their corporate IT systems which by the way are usually not completely separate. My estimate is that some 98 percent of companies don’t have enough insight to adequately protect themselves. Yes, 98 percent!
Communication: Professionals who have the skills and visibility to spot trouble must also be able to quickly get word out. But for this to work, the organization as a whole, from the CEO and board on down, must be open and receptive to encouraging the organization to set up ways to quickly communicate. In other words, to escalate the right issues, fast!
Another part of communication is getting the right people to agree, “Hey, we have a problem and we need to put the right amount of muscle (and money) into fixing it … or we’re going to get slammed.” In natural resources and energy, to stay with my favorite example, this means getting alignment and support from the people in the plants and operations, on up to the board. This is problem number one. Too often, security people will say, “we’ve got this” but most times they don’t, we all need help sometimes and we can prove it. If you don’t believe me, read down to the part about our Industrial Control System Cyber Range in Houston, Essen and DC.
Technology: In cybersecurity, new tools and techniques become available all the time. That doesn’t mean the answer is adding more tools because that can make protection more complex and overly expensive. Real cybersecurity is not as easy as mixing a little of this and a little of that, and despite what some will tell you, the cost of implementing, integrating and operating can quickly add up. But there are good answers.
Preparation: This particular subject is very close to me because I’m involved with the Accenture Industrial Control Systems (ICS) Cyber Range in Houston, Texas. It’s a place where everyone in the energy value chain – upstream, midstream and downstream – can prepare and test the cyber readiness of their industrial systems and process control networks against sophisticated attacks that we unleash. And let me tell you, we have not found anything, yet we can’t take down. But those organizations who visit the ICS Cyber Range come out with much better visibility – there’s that crucial word – into their process control environments, and most of them have reduced detection time up to tenfold.
Remediation. This is also an easy one. Even with the best visibility, there are going to be problems – or attempts, at least. This means remediation may be necessary. Here too, the tools and skills are available … if the CEO and the board choose to support them.
Bottom line, I’d like companies to rigorously search their souls. If they honestly come to the conclusion that they’re fully protected, great. But for those who know they may be vulnerable, go get help from somebody who knows what they’re doing. Call an expert, one who knows the field assets and the threat actors. Someone who has impended the systems and not just audited them. Creating nice presentations describing the problem, assessing everyone to death, throwing bodies and budget at the problem isn’t enough.