Happy Nice Mall

In early 2021, East Coast Americans received a sharp lesson in the growing importance of cybersecurity in the energy industry. A ransomware attack hit the company that operates the Colonial Pipeline, the main infrastructure artery that carries nearly half of all liquid fuels from the Gulf Coast to the eastern United States. Knowing that at least some computer systems had been compromised and unsure of the extent of its problems, the company had to resort to a brute-force solution: shutting down the entire pipeline.

The interruption of fuel delivery had major consequences. Fuel prices skyrocketed. The President of the United States got involved, trying to reassure panicked consumers and businesses that fuel would soon be available. Five days later, after suffering millions of dollars in economic losses, the company paid a ransom of $4.4 million and restarted its operations.

It would be wrong to see this event as the story of a single pipeline. Across the energy industry, more and more of the physical equipment that generates and moves fuel and electricity relies on digitally controlled, networked equipment. Systems designed and designed for analog operations were renewed. The new wave of low-emission technologies – from solar to wind to combined cycle turbines – is inherently digital technology, using automatic controls to squeeze every efficiency out of its own energy sources.

Meanwhile, the covid-19 crisis has accelerated a distinct trend towards remote operation and ever more sophisticated automation. Large numbers of workers have moved from reading calls in a factory to reading screens from their sofas. Powerful tools to change how power is made and routed can now be modified by anyone who knows how to log in.

These changes are great news; the world is getting more energy, lower emissions and lower prices. But these changes also highlight the vulnerabilities that have brought the Colony Pipeline to a sudden halt. The same tools that make legitimate energy industry workers more powerful become dangerous when hackers get their hands on it. For example, hard-to-replace equipment can be commanded to disassemble itself, leaving parts of the national grid out of service for months.

For many nation-states, the ability to push a button and create chaos in a rival state’s economy is highly desirable. The more hyper-connected and digitally managed the energy infrastructure, the more targets present exactly this opportunity. It is not surprising, then, that an increasing share of cyberattacks in the energy sector has shifted from targeting information technology (IT) to targeting operating technologies (OT), the equipment that directly controls physical plant operations.

To meet the challenges, information security chiefs (CISOs) and security operations centers (SOCs) will have to update their approach. Defending operating technologies requires different strategies and a different knowledge base than advocating information technologies. For starters, defenders need to understand the operating state and tolerances of their assets – commanding to push steam through a turbine works fine when the turbine is hot, but can break it when the turbine is cold. Identical commands can be legitimate or malicious depending on the context.

Even collecting the contextual data needed for threat monitoring and detection is a logistical and technical nightmare. Typical energy systems consist of equipment from several manufacturers that have been installed and retrofitted over decades. As a design constraint, only the most modern layers were created with cybersecurity, and almost none of the machine languages ​​used were intended to be compatible.

For most companies, the current state of cybersecurity maturity leaves much to be desired. Nearly omniscient insights into IT systems are paired with major OT blind spots. Data lakes swell with carefully aggregated outputs that cannot be combined into a coherent and comprehensive picture of operational status. Analysts are exhausted under alert fatigue as they try to manually sort through benign alerts from the resulting events. Many companies cannot even produce a comprehensive list of all digital assets legally linked to their networks.

In other words, the ongoing energy revolution is a dream for efficiency and a nightmare for safety.

Securing the energy revolution requires new solutions that have the ability to identify and act on threats from both the physical and digital worlds. Security operations centers will need to bring together the IT and OT information flows to create a unified threat flow. Given the scale of dataflows, automation will need to play a role in applying operational knowledge to alert generation – is this command consistent with business as usual or does the context indicate questionable? Analysts will need broad, deep access to contextual information. Defenses will need to grow and adapt as threats evolve and businesses add or deprecate assets.

This month, Siemens Energy introduced a monitoring and detection platform that aims to solve key technical and capability challenges for CISOs tasked with defending critical infrastructure. Siemens Energy engineers did the legwork needed to automate a unified threat stream, and their proposal allowed Eos.ii to serve as a fusion SOC that can unleash the power of artificial intelligence in the challenge of monitoring energy infrastructure.

AI-based solutions address the dual need for adaptability and lasting vigilance. By trawling huge volumes of operational data, machine learning algorithms can learn expected relationships between variables, recognize patterns invisible to the human eye, and highlight anomalies for human research. Because machine learning can be trained on real-world data, it can learn the unique characteristics of each manufacturing facility and iteratively train to distinguish between benign and consequential anomalies. Analysts can then set up alerts to monitor for specific threats or ignore known sources of noise.

Extending monitoring and detection to the OT realm makes it harder for attackers to hide, even when unique zero-day attacks are implemented. In addition to examining traditional signals such as signature-based detection or network traffic spikes, analysts can now observe the effects of new inputs on real-world equipment. Cleverly disguised malware still raises red flags by creating operational anomalies. In practice, analysts using AI-based systems have found that the Eos.ii detection engine is sensitive enough to predict maintenance needs (for example, when a bearing begins to wear and the ratio of inlet steam to power output begins to shift). .

Done right, monitoring and detection covering both IT and OT should expose intruders. Analysts investigating alerts can monitor user histories to identify the source of anomalies and then move forward to see what else was changed in a similar time frame or by the same user. Increased sensitivity for energy companies means significantly reduced risk – if they can determine the extent of an intrusion and identify which particular systems have been compromised, they will have surgical intervention options that correct the problem with minimal collateral damage – for example, by shutting down a system. one branch and two pumping stations instead of a whole pipeline.

As energy systems continue their trend towards hyperconnectivity and pervasive digital controls, one thing is clear: A given company’s ability to provide reliable service will increasingly depend on their ability to create and maintain strong, definitive cyber defenses. AI-based monitoring and detection offers a promising start.

To learn more about Siemens Energy’s new AI-based monitoring and detection platform Latest whitepaper on Eos.ii.

You can find more information about Siemens Energy cybersecurity at: Siemens Energy Cyber ​​Security.

This content is produced by Siemens Energy. It was not written by the editorial staff of MIT Technology Review.