Securing Technology in Energy and Other Highly Regulated Industries
If you work in a highly regulated industry like energy or utilities, cybersecurity worries probably keep you up at night. Each day, bad actors send 3.4 billion phishing emails to try to sneak into systems around the world. In addition, in 2022, there were nearly 500 million ransomware attacks detected by organizations worldwide. The average cost of each successful breach was in the neighborhood of $4.5 million.
The threat of cyberattack to our nation’s energy concerns is elevated for three reasons:
- Cyber criminals and hacktivists want to make a statement and crippling energy supplies is an effective way to do that.
- The energy sector is marked by expansive and geographical complexity that provides a greater surface for attack.
- The sector’s unique interdependencies between physical and cyber infrastructure make it vulnerable to attempts to commandeer operational technology (OT) and shut down operations.
To sum it all up, when it comes to securing IT and OT (operational technology) against attack, a firewall and happy thoughts are tantamount to bringing plastic lightsabers to a sword fight. Today’s best approach is to harden your apps and systems around industry-standard, system-level controls like the world’s most secure organizations do. It’s a process that can be either simple or complex. The good news is that you get to decide which.
Hardening systems and applications to standards—what does that mean??
Hardening is a term that refers to the process of applying settings and controls (the configuration guidelines that tell you where, what and how to address vulnerabilities) to secure a system and reduce its attack surface. Changing default passwords, getting rid of unnecessary usernames and disabling or removing unnecessary services are all ways to reduce attack.
Typically, in a single Windows Server domain, for example, there are over 4000 Active Directory group policy settings. So, figuring out which ones to apply to harden your system can be daunting. Fortunately, there are groups of experts who have done the work for you and bundled everything up into guidelines and best practices that are updated quarterly.
The two most adopted policy guidelines are STIG and CIS. Security Technical Implementation Guides (STIG) were created by the Defense Information Systems Agency (DISA) to provide a roadmap for securing some of the world’s most sensitive systems. STIGs identify the controls you need to address to harden your systems. The Center for Internet Security (CIS) uses the same basis as STIGs to create their Benchmarks and Controls. In the energy sector, adopting either standard elevates your baseline security to a much securer level.
The benefits of hardening to STIG or CIS Standards
The main benefit of hardening systems to proven standards is that your data and operations will be more secure. In many critical industries, OT is usually more secure—and less secured—than IT. But that is changing as systems merge and the separation of IT and OT becomes less prevalent. Which leaves your OT less protected, and the impact of a breach could be significantly more dire.
Another big benefit, especially in regulated environments, is better compliance and response. This isn’t just about meeting mandates. It’s that there are fewer applications and accounts to keep track of, so when auditors do come, there are fewer questions. And, sooner or later, they’ll come knocking. Demonstrating good cyber hygiene will not only hold you in good stead, it will nearly eradicate the risk of your organization being in the news for all the wrong reasons due to system vulnerabilities.
A welcome, yet hidden, benefit is increased performance. Most systems have services running in the background that have no value except to slow things down. As system hardening disables these services, performance increases.
Hardening IT and OT has its challenges, too.
Before you can reap the benefits of hardening to STIG or CIS standards, you must do the work. Traditionally it is a huge manual lift to establish a secure baseline, then it requires continual work as updates come in once that baseline is established.
Unless you have experienced cybersecurity professionals just sitting around waiting for something to do, you’ll have to hire new talent. They will need to be very patient. And because there is a shortage in the marketplace, you will need to pay them richly. This, surprisingly, is the option many will choose.
Another option is to automate. Solutions like SteelCloud’s ConfigOS are the easiest and least intrusive pathway to hardening. They can complete weeks of tedious manual work in minutes. They are easy to manage with your existing staff. They are more accurate (and therefore more secure) than humans. And ConfigOS, at least, has been proven to be simple, effective, and easy to manage for years in our nation’s most sensitive and targeted systems.
Making the move to more secure OT.
Securing your OT isn’t mandated. Yet. Until recently IT and OT have run on separate, unconnected systems for the most part. But that is changing. And as stark as it is to say, when enough OT systems have been breached and enough havoc has been caused, securing OT will be mandated. The risks of being one of those cautionary tales is far greater than the risks of addressing security now—financially, in company morale and in terms of your brand equity.
ConfigOS is proven in critical industries like energy to harden systems easily and in minutes, enabling all your operational missions to move forward without hesitation because security isn’t sucking all the air out of the room. For more information on system hardening and a free demo of ConfigOS, contact us today.
