As energy systems become pervasively connected, energy companies need strong and precise cyber defenses. Our Global Head of Industrial Cyber and Digital Security Leo Simonovich looks at how we can secure the energy revolution.
For many nation-states, the ability to push a button and sow chaos in a rival state’s economy is highly desirable. And the more energy infrastructure becomes hyperconnected and digitally managed, the more targets offer exactly that opportunity. It’s not surprising, then, that an increasing share of cyberattacks seen in the energy sector have shifted from targeting information technologies (IT) to targeting operating technologies (OT)—the equipment that directly controls physical plant operations.
To stay on top of the challenge, chief information security officers (CISOs) and their security operations centers (SOCs) will have to update their approaches. Defending operating technologies calls for different strategies—and a distinct knowledge base—than defending information technologies. For starters, defenders need to understand the operating status and tolerances of their assets—a command to push steam through a turbine works well when the turbine is warm, but can break it when the turbine is cold. Identical commands could be legitimate or malicious, depending on context.
Even collecting the contextual data needed for threat monitoring and detection is a logistical and technical nightmare. Typical energy systems are composed of equipment from several manufacturers, installed and retrofitted over decades. Only the most modern layers were built with cybersecurity as a design constraint, and almost none of the machine languages used were ever meant to be compatible.
For most companies, the current state of cybersecurity maturity leaves much to be desired. Near-omniscient views into IT systems are paired with big OT blind spots. Data lakes swell with carefully collected outputs that can’t be combined into a coherent, comprehensive picture of operational status. Analysts burn out under alert fatigue while trying to manually sort benign alerts from consequential events. Many companies can’t even produce a comprehensive list of all the digital assets legitimately connected to their networks.
In other words, the ongoing energy revolution is a dream for efficiency—and a nightmare for security.
Securing the energy revolution calls for new solutions equally capable of identifying and acting on threats from both physical and digital worlds. Security operations centers will need to bring together IT and OT information flows, creating a unified threat stream. Given the scale of data flows, automation will need to play a role in applying operational knowledge to alert generation—is this command consistent with business as usual, or does context show it’s suspicious? Analysts will need broad, deep access to contextual information. And defenses will need to grow and adapt as threats evolve and businesses add or retire assets.
This month, Siemens Energy unveiled a monitoring and detection platform aimed at resolving the core technical and capability challenges for CISOs tasked with defending critical infrastructure. Siemens Energy engineers have done the legwork needed to automate a unified threat stream, allowing their offering, Eos.ii, to serve as a fusion SOC that’s capable of unleashing the power of artificial intelligence on the challenge of monitoring energy infrastructure.
AI-based solutions answer the dual need for adaptability and persistent vigilance. Machine learning algorithms trawling huge volumes of operational data can learn the expected relationships between variables, recognizing patterns invisible to human eyes and highlighting anomalies for human investigation. Because machine learning can be trained on real-world data, it can learn the unique characteristics of each production site, and can be iteratively trained to distinguish benign and consequential anomalies. Analysts can then tune alerts to watch for specific threats or ignore known sources of noise.
Extending monitoring and detection into the OT space makes it harder for attackers to hide—even when unique, zero-day attacks are deployed. In addition to examining traditional signals like signature-based detection or network traffic spikes, analysts can now observe the effects that new inputs have on real-world equipment. Cleverly disguised malware would still raise red flags by creating operational anomalies. In practice, analysts using the AI-based systems have found that their Eos.ii detection engine was sensitive enough to predictively identify maintenance needs—for example, when a bearing begins to wear out and the ratio of steam in to power out begins to drift.
Done right, monitoring and detection that spans both IT and OT should leave intruders exposed. Analysts investigating alerts can trace user histories to determine the source of anomalies, and then roll forward to see what else was changed in a similar timeframe or by the same user. For energy companies, increased precision translates to dramatically reduced risk – if they can determine the scope of an intrusion, and identify which specific systems were compromised, they gain options for surgical responses that fix the problem with minimal collateral damage—say, shutting down a single branch office and two pumping stations instead of a whole pipeline.
As energy systems continue their trend toward hyperconnectivity and pervasive digital controls, one thing is clear: a given company’s ability to provide reliable service will depend more and more on their ability to create and sustain strong, precise cyber defenses. AI-based monitoring and detection offers a promising start.
December 13, 2021
Leo Simonovich is vice president and global head industrial cyber and digital security at Siemens Energy.
Combined picture and video credits: Siemens Energy