The Patriot Act of 2001 defines critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” No words can express much better the importance the critical infrastructure carries for the United States of America than the above mentioned statement. The NIST Cybersecurity Framework 2014 identifies “Energy Sector” as critical infrastructure and holds Department of Energy as the responsible agency for the same.
According to a survey conducted by Dimensional Research in 2015, carried out a survey, assessed cyber security challenges faced by organizations in the energy sector. The study covered about 150 IT professionals from the energy, utilities, and oil and gas industries. The key findings of the survey were:
- Energy executives were more than twice as likely to believe their organization detected every cyber attack (forty-three percent) than non-executives (seventeen percent).
- In the last 12 months, seventy-eight percent of the respondents said they experienced a cyber attack from an external source, and thirty percent have seen an attack from an inside employee.
- Forty-four percent of the respondents indicated they have not gathered enough information to identify the sources of cyber attacks on their organizations.
- Nearly one-fourth (twenty-two percent) of the respondents admitted their organizations do not have business processes to identify sensitive and confidential information.
Even the government has produced similar findings. As per Department of Homeland security, energy sector faces more cyber attacks than any other industry. Given the increasing capacity of cyber attacks to inflict worst damages on the target, the threat is more than ever. All it is needs a worm reverse engineered from Stuxnet to strike power grids across the USA. And our indifference to the security is going out as an invitation for the same. Given the lack of security, The energy sector is highly vulnerable at the moment. The North American Electric Reliability Corporation’s (NERC) GridEx III recently carried out “cyberwar games” which revealed significant challenges that plague cyber threat intelligence practices of grid operators. The costs would be unaffordable. As per the estimates of a congressional commission a large scale blackout due to a cyber attack can lead to 90% of the United States’ population perishing from disease, lack of food and general societal breakdown.
The Department of Energy has announced a $34 million program for securing the energy sector. The plan is yet to receive approval from the Congress. The plan aims to create a conglomerate of security contractors, research centers and an academic institution. They would be tasked to design defensive software, educational programs, detection tools and cloud-based database protection for energy infrastructure and service providers. The plan has been structured into twelve projects comprising of individual energy sector organizations in nine states through the Office of Electricity Delivery and Energy Reliability’s Cybersecurity of Energy Delivery Systems, or CEDS, program. As per DoE, the plan would “enhance the reliability and resilience of the nation’s energy critical infrastructure.”
The plan should focus more on information sharing which should serve as the linchpin of protection against cyber attacks in real time. A centralized system needs to be in place for that. Further, it should take into account the emerging threats such as Internet of Things which has opened altogether a new door to a plethora of challenges. Last but not least the funding needs to be progressively increased. Even a private organization like JP Morgan’s cyber security expenses are slated to double to $500 Million in next 5 years. We should remember we are dealing with the matters of national security which cannot be compromised at any cost.