A cyber attack on an organization in the energy, utility, oil and gas sectors is fully capable of causing harm to the physical plant, according to a Tripwire survey of IT professionals working in these fields.
Every one of the 150 IT executives that Tripwire polled for its 2016 Energy Survey said a kinetic cyberattack on operational technology in their organization could cause physical damage. The execs noted that not only were their organizations extremely vulnerable, but 76 percent believed their businesses are also a likely target for such an attack and about the same number believe that such an attack will come from a nation state.
The possibility of one country playing havoc with another nation's power system was brought to the public's attention in December 2015 when the Ukraine saw part of its power grid knocked offline, possibly by a Russian cyberattack.
Despite the certainty that something will happen with the end result being some type of damage to either the physical plant or computer system, a large minority, 35.4 percent, of those surveyed said they could not accurately track all the threats coming into their systems. Another 16.2 percent said they don't have the visibility necessary to track all threats.
The reason for this inability lies in the fact that the systems designed for the energy sector are intended to be reliable, physically robust and long lasting and not necessarily cyber secure.
“Many energy organizations have control systems that are expected to have 10 to 30 year lifespans. These systems weren't originally put in place with network connectivity in mind, but they are being added to more modern IT networks to facilitate business efficiency. It's a real challenge to secure newly networked devices that weren't designed with basic network security to being with,” Tim Erlin, Tripwire's director of IT security and risk strategy, told SCMagazine.com.
Erlin did point out that despite the alarming responses given in the survey progress is being made. He noted the increasing amount of security research being conducted around industrial control systems as a positive sign. In addition, the energy sector now includes network security as part of its overall safety scheme.
“Safety is a concept that energy organizations already embrace," he said. "Extending cybersecurity to include safety will help with adoption in these organizations."