You only need to look at what happened in the US when the Colonial Pipeline was taken down via a cyber attack to understand why cybercriminals target energy companies. It’s a quick pathway to cause chaos and, were it to occur during a period of conflict, it could cause catastrophic disruption.
Australia takes this risk seriously. On 11 June 2021, the government added cyber security in energy as a “priority action”. This hasn’t stopped the attacks from coming in, of course. In one of the most targeted nations for cyber crime in the world, the energy sector is one of the ten most targeted sectors in Australia. Major providers such as Energy Australia and AGL have been targeted.
However, while we can’t stop the attacks from coming in, the goal is to mitigate against the risk of an event of the impact and scale of Colonial Pipeline from occurring. To achieve this resilience, the energy sector needs to overcome some specific vulnerabilities to it.
As noted in a report by McKinsey:
“First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organisational complexity, including the decentralised nature of many organisations’ cybersecurity leadership. Finally, the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.”
In short, to protect the energy sector from cyber attacks, traditional security measures such as firewalls, antivirus software, and encryption are not enough. These measures rely on predefined rules and signatures, which can be easily bypassed by sophisticated hackers who use new or unknown methods.
This reality is driving people to look to AI for solutions.
To defend against cyber attacks on IT, let alone OT, organisations need to implement a security control framework that covers aspects such as roles and responsibilities, training and awareness, incident response, network segmentation, authentication, encryption, backup, patching and monitoring.
AI can assist with much of this. AI is an asset that is available and operating 24/7 and able to work – and respond – to threats instantly.
It’s just that the emphasis needs to be on “assist.”
Some of the ways that we’ve seen AI be used effectively by security teams have included:
- Threat detection: AI can analyse large amounts of data from different sources, such as network traffic, logs, sensors, and user behaviour, to identify patterns and anomalies that indicate potential cyber threats.
- Incident response: AI can help the energy sector respond to cyber incidents faster and more effectively, by automating tasks such as alert triage, analysis, containment, and remediation. AI can also provide recommendations and guidance to human operators, such as security analysts, engineers, and managers, to help them make informed decisions and actions.
- Risk management: AI can help the energy sector manage its cyber risk, by providing insights and predictions on the likelihood and impact of cyber attacks, as well as the effectiveness and efficiency of security controls and measures. AI can also help the energy sector prioritise its cyber security investments and resources, by identifying the most critical and vulnerable assets and systems.
However, for all these positive gains, we need to be careful about ceding cyber security to AI. AI is not a silver bullet for cyber security in utilities and the energy sector. It comes with potential areas of risk including questions around data quality, privacy, and ethics, and there’s the simple question of reliability – what happens if an AI system fails and there’s no one around to notice?
How we use AI at Excite – and we believe that this is the right model in security – is as a support tool, to further complement the work done by our security teams, and as a way of cross-checking our thinking and ensuring that we ask and answer the right questions.
For critical national assets that support the entire society around them, such as what we find in the energy sector, human oversight and management in security should never be relaxed. However, at the same time, without embracing the strengths of AI – particularly to address the sticky challenges in bridging security across OT and IT, energy companies that don’t embrace AI are opening themselves up to increasing levels of risk.
