Hackers have their sights set on energy and utility companies
Photo by Matthew Henry on Unsplash
In recent years, power grid hacks have grown more frequent, and the threat they pose to national security has become impossible to ignore.
In September, the American cybersecurity firm Symantec reported that a group of hackers broke into dozens of energy firms in the US, Turkey and Switzerland as early as 2015, and in some cases were able to gain “operational access” to vital equipment. In October, North Korean hackers breached an American energy utility. In 2015, hackers shut off power for 225,000 Ukrainians, and in 2016, they carried out the world’s first fully automated grid attack.
Energy and utility companies have long been prime targets for hackers. But in Not all hacks have the same intent or outcome. While some hackers, like the ones who attacked Ukraine, are looking to wreak havoc, others are simply looking to steal information.
Governments are nonetheless raising the alarm and preparing for the worst. This summer, FEMA and the Department of Energy sponsored an exercise to examine the hazards of “Black Sky” scenarios—months-long, widespread electric outages caused by natural disasters or malware attacks that could trigger global catastrophe.
“Responding to ‘Black Sky’ events is all about industry in the lead and government in support,’ said former Assistant Defense Secretary Paul Stockton.
To prevent disruptions and disasters alike, experts say, the energy industry needs to invest more in improvements to identify and patch vulnerabilities in the grid. While investments to detect breaches are expensive, according to the IBM Security-sponsored Ponemon Institute’s 2017 Cost of Data Breach Study, a successful breach is even more costly.
S. Katz, IBM’s Head of Grid Technology for the Energy, Environment and Utilities industry, told Industrious.
Companies looking to defend themselves against cyberattacks, Katz said, should make sure they discover vulnerabilities in their systems before hackers do. Few energy companies have the personnel to do that internally, so they must rely on outside experts. To that end, they can enlist IBM to conduct a North American Electrical Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) evaluation or a penetration test.
“The attack vectors are there. The question is who finds them first,” Katz said.