Smart technologies and the Internet of Things (IoT) devices are revolutionizing the energy industry by providing sensors and other components that enable real-time management.
These additional devices are proving to be incredibly useful when it comes to the fight against global warming, allowing the energy industry to create smart energy grids. Smart energy grids allow organizations operating in the energy industry to understand, predict, and adapt to fluctuations in energy usage, ensuring that there is sufficient clean energy available for consumption. This allows them to reduce emissions by improving capacity planning and help prevent climate change.
These smart technologies can also pose additional cybersecurity risks if not properly secured against cyberattacks. To help defend against these attacks, CIS controls can be used to avoid vulnerabilities and reduce the number of attack vectors available.
What are CIS Controls?
CIS Controls (previously known as critical security controls or CSC security) are a set of actions that are recommended as specific ways of preventing the most dangerous cyberattacks. There are 18 different controls in total including Access Control Management, Data Protection, and Penetration Testing.
Consider their effect on the IoT devices. Between 2009 and 2019, the number of significant electricity-related cyber incidents that occur each year has risen from one to 10. In the energy industry, growth in the number of IoT devices was combined with distributed energy resources to combat climate change. These technologies included distributed generation, electric vehicles, and behind-the-meter storage.
This means that the adoption of IoT devices in the energy industry has led to a larger attack surface for malicious actors to exploit. This attack surface is expected to double in size to reach 30-40 billion devices by 2025, making cybersecurity frameworks like CIS even more important.
Is the energy industry adopting CIS Controls?
A survey revealed that in 2016, 44% of organizations with cybersecurity frameworks in place had chosen to use CIS controls. However, just 5% of organizations in the utilities industry had adopted at least one cyber security framework. By 2020, 50% of business leaders in the energy industry were considering cybersecurity and privacy baked into every business decision or plan, and 44% were strategizing for a better and more granular quantification of cyber risk.
It was found that the main barriers to adoption of a cybersecurity framework were a lack of regulatory requirements and the perception that a large investment would be required to implement all of the controls. Of the organizations that had adopted a framework, the majority stated they had done so due to regarding it as a best practice. Other reasons given for adoption were relationships with business partners and contractual requirements.
What problems stem from this lack of adoption?
Lack of adoption could lead to a range of problems in the energy industry. A successful cyberattack in any industry can lead to the loss of control over devices and processes. In turn, this loss of control can lead to physical damage and service disruption. In the energy industry specifically, this would mean that households, businesses, and other critical services face blackouts that could prove catastrophic.
One of the first confirmed examples of this was in 2015, when a cyberattack on the Ukrainian power grid resulted in the attackers switching off 30 substations and causing 225,000 people to lose power. A report published by Lloyd’s and the University of Cambridge’s Center for Risk Studies found that a major attack on the U.S. power grid, like the one that Ukraine experienced, could result in an economic cost of over $243bn.
What solutions are there?
Policy makers and regulators could incentivize or require organizations to implement CIS controls or similar cybersecurity frameworks. This would alleviate one of the biggest barriers to adoption and prompt the entire industry to work towards achieving this standard.
Subject matter experts can evangelize the process by publicizing the risks associated with not implementing critical security controls, while documenting their organizations journey to fully implementing them.
Similarly, organizations in the energy industry can share incident reports to raise awareness of attacks, their impact, and how they were countered or resolved.
Ensuring the energy industry is prepared when it comes to cyber security is a growing challenge. This challenge, like so many others, can be overcome through collaboration and transparency. However, like the fight against climate change, failing to put the necessary measures in place can have disastrous consequences that affect everyone.
Find out how Bitdefender can help your energy or utilities business build up resilience and remain protected from these growing threats.