How can energy companies become less vulnerable?
With more frequent and increasingly vicious cyberattacks, vulnerabilities in IT architecture pose a severe threat. Particularly the energy sector is targeted, making upgraded cybersecurity a matter not only of securing production and business value, but also of national interest to keep society up and running – and people safe.
How energy companies can raise cybersecurity and become less vulnerable
Digitalisation and efficiency requirements mean that more systems get connected to each other, the Internet or other environments with little knowledge of current vulnerabilities. This has not been as urgent before, which enabled the use of air gapped systems. To raise cybersecurity of critical infrastructure in general, strict segmentation of ICS (Industrial Control Systems) and SCADA (Supervisory and Control Data Acquisition) must be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems but still retain the highest level of security.
The most important element in enhancing ICS/SCADA security is to keep the separate domains in the architecture isolated and only allow very specific information to flow in between.
Securing Industrial Control Systems (ICS)
To safeguard ICS and SCADA systems, segmentation must be applied with high assurance solutions to guard the physical isolation yet enable completely secure communication.
With this in place, logging security events is the next priority. By monitoring logins, failed login attempts, transactions, USB usage etc, effective preventive measures can be mapped out and damage control can be taken without delay. However, the character of the data also makes log servers hackers’ favoured target. Data logging systems thus turns into a vulnerability when insufficiently protected. To ensure integrity and security, high-assurance solutions are required. Advenica’s data diode creates a high assurance isolation in the backward direction, thereby blocking everything from the outside. If two-way information flow is necessary between the domains, a solution based on a high assurance filter, like Advenica’s ZoneGuard is needed. Here the information is inspected in every detail and approved if, and only if, everything is in perfect order. The high assurance filter performs the virtually impossible task of interconnecting specific information flow between two domains that normally should not be connected.
Read more about securing industrial control systems!
Securely integrate IT/OT
Operational Technology (OT) refers to all the subsystems needed to manage and monitor a physical process, for example at a power station or a factory. OT usually consists of programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems. IT refers to the business and office systems that most organisations use. Here are some solutions that can help create a secure integration of IT and OT:
Physical separation of IT and OT using zoning
Separating IT and OT into separate segments helps avoid vulnerabilities or disruption in IT affecting OT. To avoid risks as a consequence of mistakes in configuration or function, physical segmentation (zoning) should be used. This means that separate hardware is used for IT and OT, and the only equipment allowed to be connected to both sides are the security controls.
Use data diodes in the zone border for outbound data flows from OT
The most secure way to connect an integrity sensitive data network to other systems is to use data diodes. All data flows from OT that can be managed with data diodes involve a simplified security analysis, quite simply because a data diode is so secure and easy to analyse. Or, more correctly, because it has such high assurance.
Information allowlisting in the zone border
For data flows for which data diodes are not suitable, you can instead use systems that secure the information flow, such as Advenica’s ZoneGuard. To avoid malicious code from affecting the process, it is important to have strict separation between, and monitoring of, all data flows across the zone border. The most secure method is to have strict control over the information that is permitted to cross the zone border. For example, by not allowing transport protocols to pass the zone border, you entirely avoid many of the risks that you might otherwise face.
New regulations to reduce vulnerabilities
In recent years, the energy sector has been scrutinised by supervising authorities regarding information security in preparation for instance the NIS Directive and stricter national security legislation.
The NIS Directive
The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness. Basically, focus lies on the network and information systems that are used.
The Protective Security Act
Another law that might be important for your organisation is the Protective Security Act. It clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations. The Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
Read more about the Protective Security Act!
Do you want to know more about how you can raise your cybersecurity? Read more about how we can help you!