With the increased interest in cybersecurity and the recent news that utilities are being targeted around the world I’m making sure our readers have seen the latest white paper to come out of the Cisco ‘Brain-Trust’ on security in utilities and the energy industry.
As the white paper announces, “Utilities and energy organizations are part of the critical infrastructure of any nation, which makes them a high-profile target for cyber terrorists and hackers alike. Modernization brings gains in efficiency, but it also increases the attack surface through which threat agents can target utility infrastructure.”
It’s tough being a utility. Constant regulations, standards compliance, security and safety issues. Our security experts analyzed the IT security capabilities of the utilities sector in general, using specific data from the Cisco Capabilities Benchmark Study. They looked at the views of both chief information security officers (CISOs) and security operations (SecOps) managers and, different to other industries, seem closely aligned. What are the differences then, versus other industries? Here are some findings:
73% percent of IT security professionals at utilities say they’ve suffered a public security breach, compared with 55% in other industries.
56% percent of the IT security professionals in utilities say they use cloud-based web security, compared with 36% of the respondents in other industries.
64% percent of CISOs and SecOps managers in the utilities sector say they make use of mobile security tools, compared with 50% of security professionals in other industries.
One important note: The study focused primarily on IT security capabilities, not on the state of operational technology (OT) security. There is a growing trend of convergence between IT and OT, and I and others in Cisco have talked about the ramifications of that trend.
Click the image to download the whitepaper
Despite my earlier claim that the data supports a similarity of views between CISOs and SecOps managers, interestingly the opinions of CISOs and SecOps managers diverge somewhat when the conversation turns to IT security controls. For example, 67% of CISOs say that their organizations have adequate systems for verifying that security incidents have actually occurred, but only 46% of SecOps managers say they have such systems in place. Also, 73% of CISOs say they have well-documented processes for incident response and tracking, while just 54% of SecOps managers say they have such systems. That’s worrying to me.
The white paper has lots of charts and supporting documentation, and discusses the differences between the utility industry and other industries, especially the readiness of using tools and the availability of funds focused on security. One things for sure: utilities are frequently a target of cyber attacks because of their high public profile and the potentially damaging effects of a data breach or service disruption. That explains the figures in my first bullet above (73% versus 55%). This vulnerability further highlights the security challenges that utilities are facing. In many countries, utilities have to report breaches by law, a requirement that may have contributed to the high number of recorded breaches. Perhaps due to their tightly regulated environment, utilities are also slightly more likely than other industries to use internal security incident teams.
At any rate, utilities seem, in many cases, to learn the hard way. What do I mean? Well, publicly breached utility companies lean more heavily on tools such as network security, firewalls, and intrusion prevention systems (IPS), instead of distributed denial-of-service (DDoS) defenses or VPN security tools. For example:
76% of utilities that have dealt with a public breach say they use firewalls and IPS tools, but only 53% of utilities that have not dealt with a public breach use them.
64% of publicly breached utilities use vulnerability scanning tools, compared with 44% of non-publicly-breached utilities.
The figure above illustrates the point. Utilities’ Use of Various Security Threat Defenses (in %)
Interesting, eh? Also, public breaches appear to encourage utilities to more closely examine their security processes. For example: Read More »
What I like about the cloud-based model is that it does not require additional hardware or operational costs associated with on-premises software deployments, which removes the financial barriers that many smaller enterprises have to overcome. Today, the Planet Hippo and Cisco Energy Management partnership works together to:
Help bring innovation to customers in new markets
Work with any ICT device connected to the network, regardless of device type or vendor
Cut energy consumption for savings costs of up to 35 percent
Deliver a return on investment within a few months
An excellent overview of some of the key topics that are top-of-mind for industry executives in both power utilities and oil and gas. Written by Maciej Kranz, Vice President, Corporate Technology Group, the blog covers many of the ‘essentials’ that are going to make the difference between success or failure for many companies in the future:
Business Relevance – how important is Line-of-Business (LoB)? What is Cisco doing to address the new buying centers?
IT/OT Convergence – IT techniques are increasingly used for OT (Operational Technologies). OT has critical needs that IT must take notice of. Is a coming together happening?
Open Standards – Cisco leads the charge here, but proprietary and legacy protocols still endure. How is the industry adapting?
Cross-industry Use Cases – All industries are different, or are they? Maciej talks about commonalities and the inefficiencies of learning from different industries.
Maciej talks about the number of connected “things” in the world that has skyrocketed from about a million in the early 1990s to 13 billion today. He adds that…
“As the Internet of Everything (IoE) gains momentum—digitizing business processes in every industry—we expect to see 50 billion connected devices by 2020. The technology connecting all these devices has become affordable and easy to integrate. But that is not the primary reason for this explosion in connected devices. I believe we are entering a “golden age” of digitization because of the confluence of the following factors”.
I know John Chambers and others are talking about there being 500bn devices connected by 2030, so the challenges and opportunities will grow exponentially.
It is those four elements mentioned above, combined with the “network effect,” which multiplies the value of connections as their number grows,which are are driving the rush to connect everything, Maciej concludes. At Cisco, we have thousands of customers who have already adopted IoT solutions—and every day there are more who see the evidence in their own businesses and industries that the time is now for IoT, he adds.
“Cisco Energy Management has given us a great deal of visibility into our energy consumption and usage patterns and has shown us that energy management can be done easily and seamlessly to deliver a significant return on investment in both reducing our carbon footprint and cutting costs.”
Mark Hennessee Hammond School District Energy Manager
Technology fascinates me for a host of reasons. It improves lives and makes businesses more productive and efficient. It literally touches every facet of our lives, as does energy. In fact, the convergence of technology and energy is proving to be a pathway to smart and sustainable environments. The key is getting past the challenges.
I caught up with Stewart Young, Global Alliance Manager at OSIsoft LLC, a Cisco partner, to find out more about ‘Edge Computing’, or, as some call it, ‘Fog Computing’. With the huge amount of data coming off Industrial sensors and outlying infrastructure, customers are trying to find more ways to rationalize the data while extracting information that they can turn into business intelligence.
As we find out in the “A New Reality for Oil & Gas” Thought Leadership I contributed to:
“The oil and gas industry provides a prime example of the need for “edge computing.” A typical offshore oil platform generates between 1TB and 2TB of data per day.1 Most of this data is time-sensitive, pertaining to platform production and drilling-platform safety. The most common communication link for offshore oil platforms is transmitting data via a satellite connection, with data speeds ranging from 64Kbps to 2Mbps. This means it would take more than 12 days to move one day’s worth of oil-platform data to a central repository.”
There’s a better, more efficient, more ‘digitized’ way. Analyze the data in real time at the edge of the network. Take notice of anomalies and out-of-line situations. Just send on to the central repository what’s needed for decision making and for the historian. cisco equipment and solutions are getting even more intelligent, so that they can help do this. That’s thanks, in part, to IOx.
What Stewart is showing is how that works in real life. The OSIsoft PI connector runs on IOx on the edge routing equipment. That way ‘lightweight’ (aka just looking for the key anomalies) analytics can be done. And it can be done right next to where it’s happening – in harsh environments, next to oil rigs, refineries, and sensor networks. Products like the Cisco GSR and the 8X9 products have these capabilities, and you’ll see more IOx enabled products and solutions over time, and Cisco working with other partners too.
When I asked Stewart to elucidate on the business benefits (no point in reading this if there aren’t any, right?!), he explained that he’s finding customers are able to expand the sources of data that they’re collecting further out in the field or to the plant/rig/refinery, giving more visibility about what’s happening in real time across the organizational infrastructure. They’re also then able to do some of the analysis sooner and not have to pass it back to a central processing environment. So:
IDC forecasts that, with a business case built on predictive analytics and optimization in drilling, production, and asset integrity, 50 percent of oil and gas companies will have advanced analytics capabilities in place by 2016. As a result, IDC believes that O&G CEOs, for example, will expect immediate and accurate information about top shale opportunities to be available by the end of 2015, improving asset value by 30 percent2.
According to Gartner, O&G firms’ ability to leverage analytics to reduce operating costs and increase production rates “may be an essential survival skill for upstream companies.”3 Gartner mentioned several new analytics methods that are already benefiting the performance of subsurface activities:
Digital completion technologies are boosting ultimate recovery rates for unconventional reservoirs from 3-5 percent to 12 – 16 percent, vastly improving those assets’ competitiveness.
Advanced sensor technologies such as down-hole fiber generate high-resolution reservoir data for conventional assets, enabling more accurate modeling, simulation, and decision-making.
Expanded integration of real-time data from field sensors (old and new) with the reservoir model is enabling more robust 4D modeling and, in turn, more dynamic reservoir management.