Cyber Risk: A Strategic Priority for the Power & Energy Industry

#CyberSecurity #CyberRisks #CyberThreats #OTSecurity #ITOTConvergence #Powersector #AirGapNetwork #CyberAttacks #EnergySector #Tenable

Due to its strategic significance, the power and energy sector is all the more vulnerable to cyber attacks. In this context, it is important to understand the IT and OT convergence with the objective of staying a step ahead of the threats and risks. At a virtual event organised by Pro MFG Media recently, industry leaders came together to discuss the challenges and to share their experiences on how they are addressing the same.

The recently concluded Pro MFG Technology Leadership Think Turf Round Table powered by Tenable focussed on ‘Cyber Risk: A Strategic Priority for the Power & Energy Industry’. The round table saw participation from stalwarts who shared their expert inputs for the benefit of the industry. These esteemed speakers included Nitin Galande, Head of Information technology, BSES Rajdhani Power Limited, Shaleen Khetarpaul, Asst. VP-IT CISO, BSES Rajdhani Power Ltd, Lalit V Kumar, GM-IT & CISO, BSES Yamuna Power Limited, Nagarajan Krishnan, DGM-IT Operations, Cairn Oil & Gas (Vedanta Ltd), ,Rohit Rane, Head of Information Security, Nayara Energy, Manoj Deorukhkar, CIO, Sterling & Wilson Ltd., and Sudeep Das, Security Engineering Lead, Tenable. The discussion was moderated by Burgess Cooper, Cybersecurity Partner & Deputy Leader, EY India.

Readying for the storm

The event was set rolling with a quick but insightful opening address by Sudeep Das, Security Engineering Lead, Tenable. Mr. Das began by acknowledging that the IT-OT Convergence is here and that the air gap network is pretty much getting diluted. “We are seeing more and more adoption of internet of things. The number of devices that we are talking about in this context is getting larger. More people are working on it; there are people not just from the OT team, but there are also the data analysts who want to talk to the OT team. And the hackers, who we are trying to defend from, have seen that there are certain issues with the OT systems that are making it a little more vulnerable for them to target. So, all of these trends have come into a perfect confluence where we are seeing the impending storm.”

To put things into perspective, he went on to briefly share the Colonial Pipeline case as an example of attack on industrial systems. “Many of us know that certain IT systems were compromised in that case. And because people did not really know how those IT systems are going to really affect the actual control systems, the entire plant was shut down to show abundance of caution. That happened for the first time ever in 57 years of its operations! The compromise in the IT system actually led people to take precaution because they just did not know how these networks were interconnected, and how they could have potentially disrupted the pipeline operations. So they shut it down beforehand and the ransom was paid!” He explained that while this example was about OT security, where OT device monitoring has to be done, it is also actually about the confluence of all the different controls.

To set the context of the overall discussion, he summarised his perspective into three different buckets. “First of all, we need to have total visibility. This includes visibility of the vulnerabilities, visibility of the configuration and visibility of the protocols. Secondly, once we have that visibility, we should be able to prioritise the risk and handle what is more important. That’s why we say that the risk based approach is the right approach to take. The third part is about measuring how we are handling the security.”

Inevitability

Shaleen Khetarpaul, Asst. VP-IT CISO, BSES Rajdhani Power Ltd, underlined that breaches are inevitable and that there is no way that we can stop the breaches or hacking. “The only way we can reduce the risk is by strengthening the security systems to a patch management product outage testing, and applying encryption wherever applicable. The most important part is creating an awareness and training of people. The other thing we can do is taking a cyber-insurance policy.”

While agreeing with Mr. Khetarpaul, Rohit Rane, Head of Information Security, Nayara Energy also pointed out that due to geopolitical changes, the critical infrastructure sector will be targeted. “That has been one of the primary reasons why cyber risk requires a very strategic approach in this sector. From the industry perspective, it is required that we understand the exposure towards such risk and have a plan or strategy in place as well as the required infrastructure supported with the latest technology to reduce that impact of this risk and contain this risk as much as possible.”

Nagarajan Krishnan, DGM-IT Operations, Cairn Oil & Gas (Vedanta Ltd), stated that due to the nature of energy industry, if any attack happens beyond a particular level, the impact would be unimaginable! “That’s the reason I believe that there are a lot of regulatory controls in place. More controls are being looked into the OT side as well. Typically, it used to be the IT section that used to be in the limelight of terms of security. Now, the focus is more and more coming on the OT side, because the impact is much larger. So yes, the breach is inevitable. It’s more of a cat and mouse game, we would always like to be ahead in the game by having all relevant controls in place and having the right risk framework adopted.”

Educating people

Lalit V Kumar, GM-IT & CISO, BSES Yamuna Power Limited, emphasised that as utilities are moving to modernization, there is need to upgrade the OT network. “Earlier it was all manual but as we are moving to modernizing our systems, we are automating the OT devices across our grids, substations and so on. This is leading to the convergence of IT and OT. In the context of the rising risk of security, I see there are three key pillars which are very important to keep our security up to date, people, process and technology. We are all technology guys, who put a lot of focus on technology. However we lack on the people part, which again is very important. Until and unless we educate our employees to take care of these risks like phishing and so on, I don’t think that cybersecurity would be mature enough.”

Differentiating between IT and OT

In the context of the discussion, Rohit Rane, Head of Information Security, Nayara Energy, brought out the difference between IT and OT in a very perceptive manner. “If you look at IT, we will primarily look at security from the perspective of the OS, the technologies and the different applications that have been used for various purposes. When it comes to OT, we have very specialised machinery and equipment that communicate on different protocols. There is a huge setup in an OT, which at the maximum time we will not even get the complete visibility. If we compare both these networks, the primary differentiation is the technology or the assets that are getting covered under these two different networks. So when we talk about OT, we are heavily reliant on OEMs. The biggest difference that we see in any security control that needs to be implemented in IT is that it is very straightforward. You have much better visibility as compared to OT. You have a test environment; you test it and you go ahead. But when it comes to OT, you are dependent on the OEMs. The OEM certifies the controls in terms of certain patches or in terms of certain changes that are made into them. And only those changes and those security control implementation are carried out once you are certified by the OEM. This is the major difference when it comes to managing or defining security in IT and OT.”

Tenable’s Mr. Das too highlighted the KPI based difference between IT and OT: “The KPI driving the OT environments are very different from those driving the IT environments. For OT, the primary value drivers are safety, quality and uptime. With IT, it is data driven. If I have a downtime on the IT side, I most probably will still survive. But if there is a downtime on the OT side, people may get hurt. So the KPIs and hence, the levels of risks are different.”

Challenge of Integrating

Kuldeep Singh, DGM-IT, NTPC, pointed out the difference between IT and OT in the context of their openness to the internet. “I agree that IT and OT are completely different. In IT, we have systems that are open to the internet. However, with OT we have been going with a conventional approach that it will not be open to any kind of internet interface until and unless it is absolutely critical. So we maintain a strict isolation between IT and OT networks as well as between our OT and the internet. Whenever there are any interfaces between the two systems, those are to be isolated with proper isolation mechanisms.” Elaborating further, Mr. Singh also shared a few practical issues. “So, let’s suppose if we are talking about an interaction between the OT and IT systems, which is obviously required at some point of time, then you will be having a unidirectional data approach. Even that is also becoming a cause of concern as there are various ways to jump the air gaps as well. Now we are also coming towards the physical dissociation between these two systems. Again, we have seen the move towards digitalization that is quite high. So we are looking at a smart metering as well as at the implementation of IoT and smart sensors in the OT. And we are also looking at smart power plants as well. So integrating these two has become a challenge for us.”

Shifting the focus to OT

Nitin Galande, Head of Information technology, BSES Rajdhani Power Limited, too highlighted that the energy sector is the backbone for all industries. “That’s why the OT section from the cyber security point of view is very much important. It is true that IT and OT are really getting merged now. Earlier, they were two separate networks but now with IoT growing, you will have these two things merging together. We need to pay more attention to the cyber security part of it apart from the components using the OT. It will be more vulnerable because there will be a lot of connectivity happening between the equipment and the applications.”

Manoj Deorukhkar, CIO, Sterling & Wilson Ltd. pointed out that till recently the energy industry has been quite away from rapid digitalization. “We have a lot of exposure of a very large surface, which is available, either in terms of the pipelines or the transmission grids. At the same time, the recent market changes are pushing us to modernize and digitize very quickly. Now, this combination makes it a very attractive segment for all the hackers. More and more, we see that the geopolitical objectives are actually driving these attacks more than just the financial frauds. Today, energy sector accounts for a very large portion of attacks which are being made. A recent newspaper report says that 20% of the attacks in North America are on energy sector. Phishing remains to be the first choice for the hackers to get into the vulnerability. So it is at a stage where old legacies, new technologies and the higher risk of attack are coming together. This is making our task more complex and more challenging. Cybersecurity is going to play a very, very important role and the point of action is shifting more and more from IT to OT. Today, everything is getting connected to the internet with more smart things and smart solutions coming into the picture. These are all out in the field, not within the four walls of security that you typically enjoy in a manufacturing or an office environment. So all of that is really riveting our focus more on security. It’s a rapidly evolving risk threat and we have to do a lot in terms of staying up with it and be a step ahead of it.”

Pro MFG Media Newsletter

Get regular manufacturing insights that matter and enable business.