The interconnectedness of the energy sector presents both increased challenges and potential, according to panelists at an Institute for Critical Infrastructure Technology (ICIT) briefing on Wednesday.
“The energy sector is clearly the backbone of all 16 critical infrastructures,” said Jay Williams, an ICIT fellow and vice president of cyber infrastructure protection at Parsons. “Cybersecurity needs to be part of the culture in all 16 critical infrastructures.”
The briefing was based on a report released by ICIT, titled “The Energy Sector Hacker Report: Profiling the Hacker Groups that Threaten our Nation’s Energy Sector.”
Parham Eftekhari, senior fellow at ICIT and moderator of the event, pointed to his favorite passage of the report as further evidence of energy’s interconnected nature: “The nation’s socioeconomic survival depends on a complex energy grid, which in turn is dependent on an assortment of power generation plants, distribution facilities and transport mechanisms to deliver energy to homes and businesses that support life, business, operation, and critical infrastructures.”
The briefing opened with a talk with Joyce Hunter, deputy CIO of policy and planning at the Department of Agriculture, who explained that other critical infrastructures like agriculture depend on the operations of the energy sector to function: “We have to have a relationship with energy; we have to have a relationship with transportation.”
“These 16 sectors are so interconnected,” said Pete Tseronis, former CTO at the Department of Energy. “When a city goes out and people don’t have food and panic and mayhem and pillaging and all that, you see the impact that not having energy or power can have on our lives.”
The panelists also explained that the interconnectedness is essential within the energy sector as well, as more advanced technology has caused information technology and operational technology (OT) to work in tandem.
“It’s a bunch of folks that now need to talk to each other that never had to talk to each other before. And maybe now they don’t speak the same language, so we have to educate all different sides of this issue and actually get everyone talking about the same things,” said ICIT Fellow Stacey Winn.
“We really need to button up both sides of the fence,” added Ryan Brichant, ICIT Fellow and CTO of critical infrastructure at FireEye. “The really key point is the convergence between IT and OT and how an attacker can attack through the IT, cross over the firewall into the plant infrastructure, and now he’s got access to controllers. On the flip side of that, they can come in through the OT and then come across the firewall now and get into the IT side.”
This comment added to the panel’s overall concern that increased technological innovation could also increase the chances of a cyber hack. Weighing this danger against the need to improve service and convenience, and update an aging infrastructure, is a major concern of the energy sector.
Panelists agreed that one of the major ways to protect the energy sector against the almost inevitable cyberattack is to share information about attackers and cybersecurity practices more freely.
“It doesn’t do the county any good if one sector and one business says, ‘we’re super and uber protected,’ and then the neighboring state that they rely on for who knows what transmission of electricity doesn’t have the funds, time, energy, or workforce,” said Tseronis. He explained that since some energy producers or providers are too small to invest in cybersecurity and attribution research, the industry has to be more willing to share whatever they know.
“We are responsible, also, to work with our local, state, and Federal agencies, even FBI when there are threats detected, because they can help be that common piece that helps collaborate that data between the different infrastructures,” said Williams.
He pointed to the state of Indiana as an example of this collaboration, as it has held cybersecurity training exercises that involved all the emergency services, critical infrastructures, the local FBI, and state and local governments.
“It can’t be adversarial; we have to bring people together,” Tseronis said.