By Chloe McFall
A panel discussion on the state of cybersecurity in utility networks took place at the Atlantic Council in Washington D.C. on October 4, 2019.
The event began with opening remarks from Secretary Michael Chertoff, who discussed the importance of cybersecurity in infrastructure, as power and energy are core to the function of the United States. Chertoff highlighted the importance of transparency in the cyber network of a utility company and that its network be configured and patched properly, stressing that it must be driven all the way down into the capillaries of the company to remain effective. The Secretary’s opening remarks also discussed some of the unique challenges companies face, such as choosing a supplier to provide both the security network and the operational technologies (OT), as well as how the information technology (IT) sector and OT sector grew up independent of each other but are increasingly interwoven nowadays. Chertoff finished his remarks saying that companies increasingly need to understand and configure their own networks for the risk landscape in order to appropriately fund and address the issues.
The panel was moderated by Melanie Kenderdine a senior fellow at the Atlantic Council featured Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security at the Atlantic Council; Jack Huffard, Chief Operating Officer and Co-Founder of Tenable; Dante Martins, Cybersecurity Technology Strategy Director at The AES Corporation; Shapor Naghibzadeh, Co-Founder of Chronicle Security; and Leo Simonovich, Vice President and Global Head, Industrial Cyber and Digital Security at Siemens.
The group opened the discussion by addressing some of the challenges companies are currently facing in regards to cybersecurity. The general consensus of the panel was that one of the biggest issues to overcome is the natural segmentation of the OT and IT sectors since they had started separately but in the advent of increased digitization, the two sectors have become increasingly interconnected. The second issue discussed was the question of how you successfully protect the utility industries at every level of the scale, from the most minute piece (an example of a thermostat was used) to the most substantial. The third issue addressed by the panel was that companies needed to better commit themselves to gaining visibility for their networks and also better prepare themselves for vulnerability detection.
They then dove deeper into how those issues really affected utility industries and some possible solutions. A few of the solutions included integrating the OT and IT sectors fully so that professionals would be able to create protections to specific OTs, having someone in the company take responsibility for the risk so that more effort would be focused on mitigating it, and using big data to leverage the scale of attacks better.
The panel concluded that one of the main points from the discussion is cybersecurity in OT is manageable, but it is important for companies to start with the basics by knowing their assets and monitoring them. Additionally, providing guidance to small operators to improve their readiness should happen immediately and the policy side should focus on creating a standard of care and benchmarking for companies to follow. When opening up the floor for questions, the panel reiterated points they had made earlier and said that in the process of companies bettering their cybersecurity, they are beginning to build the foundations of protection from cyber warfare attacks.