Climate change cybersecurity developments

Cybersecurity attacks globally have been becoming more frequent, well organised and unfortunately often successful to date. Companies and their security personnels have also faced many business and climate change challenges which

Renewable digital transformation & management 169 could affect their cybersecurity. These included demands for energy utility services always being online, intensifying regulations, new climate policies, higher mobility and replacement of ageing industrial control systems with “smart” devices. All these could seriously affect many companies’ cybersecurity.

Hence, it is very important that management and their cybersecurity experts should develop business-focused cybersecurity strategies which take into account the implications of climate change and renewable transformations. It should be noted that there arc no fail-safe ways to secure all computer assets in most companies all the time. An alternative practical cybersecurity strategy may be is to focus on empowering an organisation that can be prepared for and can quickly detect cyber attacks when they occur, helping in dealing with them efficiently and quickly.

One of the most famous case in history of cyber attack on a leading company occurred in 2012 when the world’s largest oil and natural gas producer, Saudi Aramco, discovered that a computer virus had infiltrated over 30,000 of its computer workstations. Saudi Aramco had no choice but to isolate all of its computer systems from outside access during the emergency. Whilst the cyber attack did not affect their key oil and gas production operations, many employees were cut off from e-mail and corporate servers for several days. They had to revert to written notes and faxes for business communications. The virus had also erased significant amount of company data, documents and e-mail files on 75% of Aramco’s corporate computer systems (New York Times, Cyberattack on Saudi Firm, 2012).

Cyber attacks to date arc unfortunately getting more well organised and constantly evolving. Many viruses could disguise themselves within the corporate’s IT ecosystem in a way that would be very difficult to be discovered for long periods. The consequences of cyber attacks are often very serious and could lead to massive financial losses. Cyber crimes could also seriously damage the company’s brands, undermine customer confidence and damage revenue generation. Cyber attacks on energy utility systems and renewable power systems could often lead to massive power outages, paralyzing communities plus endangering public safety. A recent serious cyber attack example is the globally coordinated WannaCry ransomware attack which infected more than 250,000 computers in over 150 countries globally.

In the global energy sector, technology evolution and innovations have partly contributed to the elevated cyber threat environment. Many industrial and process control systems have been designed to communicate with each other online via TCP and IP protocols. Many smart grids and energy distribution systems have relied on computer monitoring, optimisation and control. The energy transition from fossil fuels to clean renewable energies has also resulted in the growth of decentralised distributed clean renewable power supply and management systems. These systems are more susceptible to cyber attacks and hacking which could result in serious disruptions.

An important consideration in developing a cybersecurity strategy for different companies would be to understand that the cyberspace is being used by cybercriminals as a fast and interconnected tool to attack operations and steal sensitive information. The motivations of different cyber hackers and adversarial groups are often different. They also have their own sophisticated hacking techniques for stealing targeted information and attacking company computer systems.

In addition, companies have to be aware of the high risks of malicious insider cyber attacks. These could include employees, consultants or contractors who have given authorised access to company systems and information. They are in unique positions to use these to inflict harm, including industrial espionage and sabotage. Insiders can often act alone or may be under the influence of external groups. Most companies have considered insider attacks to be one of their highest cybersecurity threats.

Hacktivists globally have also been actively seeking to expose and embarrass leading oil and energy companies. These have included hacktivists protesting on various specific environmental and social causes. They could act alone or in groups to gain unauthorised access to confidential corporate computer files or networks. A good hacking example is the Anonymous group of hackers who have recently attacked top multinational oil and gas companies. They wanted to voice their strong objections to these companies undertaking oil and gas drillings in the Arctic. They were able to access, steal and publish some 1,000 e-mail addresses of major oil and gas company employees.

There are also opportunistic transnational cyber-criminal enterprises that are focusing on stealing confidential company data, customer information, payment data and other sensitive information. They would often steal these cyber data for quick financial gains. Oil and gas energy companies are particularly vulnerable to organised cyber gangs stealing confidential corporate resource secrets plus hijacking their production platforms or technology infrastructures for extortions. Cyber intruders would often focus their attacks to exploit the IT integration in oil and gas exploration, production, refining, and distribution and transmissions. Energy companies, in both fossil and renewable sectors, with advanced integrated digital process control and SCADA systems would be particularly vulnerable to cyber attacks on their corporate networks and internet-facing TCP/IP protocols. Cyber criminals could use sophisticated cyber viruses, such as Stuxnet, Flame, Night Dragon and Shamoon, to infiltrate an energy company’s TCP/IP networks and gain access to sensitive process data and control systems. Some advanced hacker viruses could hid themselves and lie in wait for the most opportune time to attack. These viruses could go unnoticed for months which would allow them lots of time to exfiltrate a variety of confidential corporate data and secrets.

Spear phishing attacks on companies arc often very sophisticated and damaging. These attacks usually involve creating some form of communication that would appear to the unsuspecting users to be legitimate. They would normally ask the recipient to click on links or supply credentials such as e-mail user names and passwords. Skilled spear phishing criminals would often design their messages to be in line with typical norms and formats of the targeted organisation. A good attack example is that in 2011 the Night Dragon hackers attacked specific

Renewable digital transformation & management 171 leading global energy companies using both social media and spear phishing attacks. These attacks have resulted in exfiltration of many company e-mails and other sensitive corporate documents.

Cybersecurity in various companies is often only as strong as the weakest links in the companies which have often been employees and executives. They are often not adequately trained in countering security threats and in anti-spear phishing techniques. Hence, more cybersecurity trainings in companies will be very valuable.

Increasingly, more cyber attacks arc coming from the cloud. IT experts have estimated that over one-third of oil and gas companies globally are using some form of cloud computing. This is likely to be increased higher in future as companies modernise their digital technology infrastructures with more cloud-based computing. However, this will also increase their susceptibility to hackers and cyber attacks.

Integrated energy and utility companies are particularly susceptible to cyber attacks as they arc required to provide utility services to public. These systems arc often required to be always online and available with high reliabilities. The utility supplies and electricity infrastructures arc also the key linchpin of most nation’s critical utility infrastructures.

Energy companies have to develop more secure operating environments and cyber incident-response plans for their various inter-connected technology assets so as to mitigate the potential risks of cyber attacks. It is important that company’s cyber-incident response plan should involve frequent testing of its response procedures involving simulated attacks. These should be similar to the major crisis and disaster recovery plan exercises which are already being undertaken regularly in many energy and utility companies plus leading corporations, in emerging economies and developed countries globally.

More stringent regulations are being introduced by many countries as cyber threats intensified. A good example is that in the USA energy companies have to provide more disclosures of non-privacy-related breaches under the new Securities and Exchange Commission guidance requirements. The new SEC guidance has also stipulated that if an organisation failed to gain an accurate understanding of cyber risks then these could expose them to significant regulatory and litigation challenges.

The energy sector’s ageing computing systems and infrastructure could become serious cyber risks. Many energy companies have to modernise their outdated technology infrastructures and improve their back office integration. Many cyber attacks arc targeting the valuable intellectual property (IP) of energy companies. These could include the confidential locations and sizes of their oil and gas reserves plus details of new potential resource and new technology innovations. The increasing integration of oil- and gas-producing fields with their head office would normally require complex computer systems which will increase their susceptibility to cyber attacks. In addition, some energy companies have outsourced these computing systems in order to reduce costs. Outsourcing could cut operational costs, but it could also introduce new cybersecurity risks.

With the escalation of cyber threats and attacks, it is very important that companies have to safeguard their operation networks, data transmission systems and data application systems. Recent security surveys have found that fewer than half of the leading energy companies have formal programs to monitor for and respond to advanced persistent threats (APTs) which are the most dangerous long-term cyber risks.

Many companies have appointed chief information security officers (CISOs) to develop business-focused security plans and controls for the company’s network, data, users and customer systems. There is often no fail-safe method to ensure absolute 100% cybersecurity in any of the companies. The CISO should take actions to create a realistic security program which would enable the company to prepare for and quickly detect cyber attacks plus safeguard its most valuable data and operations. In addition, the overall corporate executive leadership team must be committed to cybersecurity as a business imperative. Energy companies embedding cybersecurity into their strategic plans in their businesses are usually better able to handle cybersecurity risks and protect themselves against potential cyber attacks. Moreover, these companies would also be better able to explain their cybersecurity strategy to relevant government regulatory bodies, shareholders, employees, stakeholders, etc.

Effective cybersecurity would also require a culture shift in the company. All the management and employees should understand the importance of cybersecurity and their roles in protecting it. Cybersecurity should also not be viewed as a technology-focused cost centre in companies but an essential part of their business operations. Leading companies in emerging economies and globally are leveraging their cybersecurity models as part of their corporate competitive edge.

Public-private partnership (PPP) in cybersecurity is becoming more important with increased government focus on corporate cybersecurity. Leading companies are increasingly working with relevant government agencies on promoting new cybersecurity initiatives, in both emerging economies and developed countries globally.

In summary, leading companies with successful cybersecurity strategies will normally focus on three key areas. First, companies should prioritise corporate resources to protect those areas which are most valuable. Secondly, they should proactively implement cybersecurity practices that would protect their key businesses. Thirdly, companies should actively engage with policy makers and government regulators to form effective public-private partnerships on cybersecurity initiatives.

< Prev   CONTENTS   Source   Next >