Cybersecurity an organisational and technical issue


A recent companywide vulnerability audit of a large US utility revealed some areas of technical vulnerability in the control system, but most of the findings had to do with organisational problems, such as lack of plant-wide awareness of cybersecurity issues in general, inconsistent administration of systems, lack of a cybersecurity incident response plan and poor physical access to some critical assets.

“Because few companies have the resources to harden all processes against all possible threats, management must guide the development of a security policy that will set organisational security priorities and goals. In having all departments working together, project engineers must understand the security risks and possible mitigation strategies, while IT, which brings much of the security expertise, must understand the need for real‑time availability to keep units online,” says Taru Madangombe, Schneider Electric VP for Southern Africa.

National power grids are increasingly becoming a target of hackers and attacks. Several hacks have been reported across the globe in recent years, drawing the world’s attention to the vulnerability of national power supply systems, and bringing into question the safety of these and other infrastructural services.

Cyber attacks with widespread infrastructural failures as their goal, have the potential to take down a country’s power grid, as already proven by previous attacks. Thus cybersecurity a significant priority for global corporates.

“Often their first step to achieving this is by future-proofing their operations,” says Madangombe.

“In order to future-proof, utilities must revise their attitudes towards cybersecurity, highlighting it as a pressing need rather than an afterthought. Hackers tend to focus on attacking critical infrastructure industrial processes, rather than physical assets.”

Many plants are convinced that their networks are isolated and consequently secure, but without ongoing audits and intrusion detection, that security could just be a delusion. As information sharing between business and operational networks increases, so does the need to secure transactions and data.

“For power generating companies, where consequences of an attack could have widespread impact, the need for cybersecurity is even more pressing,” Madangombe says.

Engineers thus need to pay close attention to network and cybersecurity issues, especially in the open and interoperable nature of today’s industrial automation systems.

“Threats can come from many sources, external or internal, ranging from terrorists, disgruntled employees, to environmental groups and common criminals. Making matters worse, the technical knowledge, skills, and tools required for penetrating IT and plant systems are becoming more widely available. As the incidents of threats increase, the level of sophistication necessary to implement an attack is decreasing, making it easier for intruders.”

Power engineers play a critical role in hardening power operations against intruders, however, collaboration and support of both corporate management and the IT department are essential.

“Management must also recognise that investment in prevention will have a far greater payback than investment in detection and removal. Although investment in the latter areas may be necessary to ward off immediate threats, focusing on activities that prevent attacks in the first place, will reduce the need for future detection and removal expenditures.”