Physical Security

Hackers Shut Down a Pipeline. How Should the Energy Sector Respond?

With all eyes on cybersecurity, the energy and utilities industries are adopting zero-trust frameworks. Here are three key steps to implementing zero trust for critical industries.

Recent high-profile breaches have raised cybersecurity to the forefront of board agendas and leadership discussions — particularly in energy and utilities organizations. Now on high alert, their sights are set on how to bolster their cyber defenses to avoid being the next victim.

This urgency is additionally fueled by the fact that the industry went through a considerable amount of digital transformation and is already far down the path of merging operational technology (OT) with longstanding IT infrastructure. New technology, consolidated environments, and recently introduced processes have expanded the overall threat surface for cyberattacks.

The realization that critical OT infrastructure can be exploited via targeted attacks has hit home, with multiple public cybersecurity events occurring within the past several months. In May, the US government issued an executive order stating that zero-trust architectural principles are the best defense against emerging cyberthreats. According to Forrester: "Zero trust is not a security solution; it's a strategy." This isn't a tool or piece of technology an organization can buy. It's a methodology, a philosophy, and a holistic approach that includes integrating cybersecurity across the enterprise.

Energy and utilities companies have been slow to take the plunge, with around 10% to20% of Capgemini's clients actively progressing and activating a zero-trust approach. How can these organizations effectively implement zero trust in a way that's practical to their specific industry? The reality is many have been on the path toward zero trust all along, with some of the fundamental steps they've taken to limit an attacker's entry points and mobility once inside. But with heightened attention from customers, boards of directors, and even the US government, now's the time to formalize the process.

Here are three steps energy and utilities companies can take to establish a zero-trust approach to cybersecurity:

1. Network Segmentation to Limit an Attacker's Mobility
When a hacker breaches an organization's initial lines of defense, it's important for cyber teams to "put them in a box." They are now in one specific portion of the network. By blocking them from easily moving into other segments of the enterprise network, it mitigates the risk and damage that can be done. While the concept of segmentation is nothing new, networks today are far more complex — and more intricately connected. The convergence of IT and operational technology (OT) has brought enormous business value to energy and utilities organizations, but it opens the door for increased cyber-risk. Companies must start their zero-trust journey by appropriately segmenting and modernizing their network framework — particularly across legacy systems and outdated segmentation models. Maturing the network and segmenting properly will reduce an adversary's ability to move laterally and impact additional devices, functions, and potentially steal or destroy valuable information. With so many real-world impacts on power plants, electric grids, pipelines, and more, microsegmentation of networks is vital to reducing potential physical damage to facilities and communities.

2. Asset Management in a Connected World
Given the recent push of technology transformation in energy and utilities brought on by the pandemic, newly integrated tools and applications must be identified and authenticated. Once organizations segment their networks, layering asset and identity management on top are the next steps along the zero-trust journey. Determining which devices are connected, which systems are linked, and how those links are being uniquely authenticated is critical to better understanding an organization's security posture and maturity. For energy and utilities companies working across power grids or pipelines, for example, it's essential to identify which devices should never be linked to others.

3. Strict Access and Privileges Across the Business
Once the network is segmented, and the structure of devices and technologies is identified, the third and perhaps most important step which truly encompasses the zero-trust approach is determining access and privileges. The energy and utilities industry operates in some of the most dangerous, hazardous, and globally impactful physical environments in the world. Plants and grids must stay operational 24 hours a day, seven days a week, 365 days a year — and security teams in this sector must understand which employees have which level of permissions and privileges. 

Do certain people truly need administrative rights? How much control and access do team members have, and what would that look like in the hands of an attacker? With zero trust, security teams must deny by default and reduce that power and control — restricting access, and only granting privileges to the people who absolutely must have them.

Adversaries already know that zero trust is the next big push for organizations bolstering their cyber defenses. Energy and utilities companies going down this path must be ready for anything. Achieving a security program built on the backbone of zero trust takes time, commitment, and communication — but there has never been more support from executives and boards to push forward and strengthen the perimeter. While perfection in the world of cybersecurity is impossible to achieve, progress in network segmentation, identity management, and close supervision of access and privileges can prevent a critical organization from being the next victim of a major attack.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5