Security of CNI is a national security issue
The energy sector is part of the critical national infrastructure (CNI), and delivers services that are essential for modern life. According to the EU NIS Directive, these entities are Operators of Essential Services (OES) and their reliability and ability to meet consumers’ demands at all times is of national interest. The reliability of their services can be impaired by cyberattacks on the IT and operational technology (OT) systems that support their operations. Cyberattacks could result in widespread loss of services causing large-scale blackouts, disruptions in business operations and even deaths.
Energy services companies are a lucrative target for adversaries. According to a Siemens/Ponemon report, in 2019, 56% of gas, wind, water and solar utilities around the world experienced at least one cyberattack that caused a shutdown or loss of operational data. Other incidents include:
- The European Network of Transmission System Operators for Electricity (ENTSO-E) said in March 2020 it had “found evidence of a successful cyber intrusion into its office network.”
- Authorities in India determined that a major power outage that occurred in October 2020 in Mumbai, the country’s largest city, may have been caused by hackers.
Additionally, the vulnerabilities of the energy sector are of particular concern to national security due to its enabling function across all CNI systems.
A recent U.S. Government Accountability Office (GAO) report notes that the energy industry faces “significant cybersecurity risks” because “threat actors are becoming increasingly capable of carrying out attacks.”
Modernization efforts have increasingly bridged the gap between physical, OT and IT systems used to operate the grid. Previously, OT was largely isolated from IT. But this separation has narrowed as the industry incorporates new grid management systems, and utilities install millions of smart meters and other internet-enabled devices. While these advanced technologies offer significant improvements and real-time system awareness, they also increase the attack surface that malicious actors can target to gain access and compromise larger systems.
Further, certain aspects of the CNI sector require particular attention. Some systems need to react so fast that standard security measures such as authentication of a command or verification of a digital signature can simply not be introduced due to the delay these measures impose. In addition, electricity grids and gas pipelines are strongly interconnected across many countries. An outage in one country might trigger cascading blackouts or shortages of supply in other countries.
In addition to the above considerations, the European Parliament has identified trends that highlight the importance for strong cyber-physical security measures and policies in the energy sector, including:
- Sustainable energy: In the framework of a climate-neutral energy sector, the electricity system is becoming decentralized (distributed wind, solar and hydropower installations) and interconnected. Electric vehicles, smart appliances, and flexible industrial demand lead to a dramatic increase of potentially vulnerable networked devices on the electricity grid.
- Market reform: Reforms of the energy market allow new actors to participate. This includes energy companies, aggregators, and individual citizens, who may not have adequate cybersecurity skills and capacities to safeguard against adversaries.
- Capabilities of adversaries: Cyber criminals’ skills are constantly evolving and becoming more sophisticated. Automated attack tools have the potential to spread in the network and cause damage beyond the intended target.
What the energy sector seeks
To address this expanding threat landscape, energy providers are seeking to establish policies and deploy security solutions that will provide an in-depth defense approach:
- A data-centric solution that secures data as it traverses networks, applications and the cloud;
- Centralized visibility and data security management across the entire ecosystem;
- Reduced operational complexity, enabling simple data security management and migration to the cloud;
- Standardized policies, procedures and processes across hybrid IT environments;
- Ability to make changes in line with urgent security requirements and compliance mandates; and,
- Agile compliance and security processes with no impact on functionality, as availability and connectivity are critical.
How to shield the energy sector
There is a common misconception that a robust firewall is enough to prevent unauthorized access to corporate networks. Unfortunately, this is not the case. While the firewall can detect and eliminate a variety of penetration or denial of service attacks, it is no match against a physical tap either inside or outside the firewall.
The only fail-safe solution to ensure that your data is secure as it travels across the network is encryption. Furthermore, your encryption solution should be de-coupled from any specific network architecture, and accredited against recognized worldwide security standards. For encryption to be most effective, it needs to deliver against four criteria: speed, scalability, manageability and affordability.
Remove complexity to ensure compliance at scale
Thales is enabling OES to remove complexity towards ensuring compliance at scale, across hybrid IT and multi-cloud infrastructures in the following ways:
- The Thales CN Series of high-speed hardware encryptors delivers certified high-assurance encryption security. Designed and built to protect core IT network infrastructure, CN Series encryptors deliver security without compromising on network and application performance up to 100 Gbps.
- The Thales CV Series virtualized encryption appliances deliver strong and effective encryption security for data-in-motion across extended WANs and SD-WANs, scalable to thousands of end-points.
To learn more about how Thales can help secure the CNI, read “Protecting Critical National Infrastructure Data Networks.”