In the past, energy companies have typically kept the operating systems in which pipelines or power plants operate isolated from the broader Internet, or “air-splitting,” which meant that hackers could not easily access the most critical infrastructure. However, this is increasingly no longer the case as companies install more sophisticated monitoring and diagnostic software that can help them operate these systems more efficiently. This potentially creates new cybersecurity risks.
“Now these systems are all interconnected in ways that organizations don’t always fully understand,” said Marty Edwards, vice president of operational technology for Tenable, a cybersecurity company. “This offers the possibility of attacks in one area spreading elsewhere.”
Many industrial control systems were installed decades ago and run on outdated software. Hence, finding programmers to update the systems can be a challenge. And the operators of vital energy infrastructures – such as pipelines, refineries or power plants – are often reluctant to interrupt the flow of fuel or electricity for long periods in order to install frequent security patches.
According to analysts, many companies don’t always have a keen sense of when and where it is worth spending money on costly new cybersecurity protections, in part because there is no readily available data on what types of risks are involved most likely to act to face.
“Businesses don’t always make a lot of information publicly” about the threats they see, said Padraic O’Reilly, CyberSaint Security co-founder who works with cybersecurity pipelines and critical infrastructure. “That can make it difficult for an industry to know where to invest.”
Analysts said the country’s electricity utilities and network operators have typically been further ahead than the oil and gas industry in preparing for cyberattacks, in part because federal regulators have long required cybersecurity standards for the backbone of the national power grid.
However, weaknesses remain. “Part of that is the sheer complexity of the network,” said Reid Sawyer, executive director of the US cyber consultancy practice at Marsh, an insurance company. For example, not all levels of the grid are subject to mandatory standards, and there are more than 3,000 utility companies in the country with different cybersecurity practices.