Cybersecurity risk in the Energy sector

Martin Smith – Operations Director at Cyber Prism, discusses Cybersecurity risk in the Energy sector

During a 33 year military career, Martin Smith worked extensively in maritime security and information superiority.  He headed the military contribution to shipping and Oil & Gas counter-terrorism, modernised the Royal Marines’ information and intelligence capability and commanded multinational counter-piracy operations.  He led service personnel at every rank and left the Armed Forces in January 2018 having commanded the country’s 7,000 Royal Marines. 

Martin joined Cyber Prism Maritime in September 2018 with a remit to expand its Operational Technology (OT) and Information Technology (IT) security business in the Oil and Gas, Shipping and Superyacht markets and to use his experience to grow Cyber Prism’s monitoring and incident response capability. 

As Operations Director of Cyber Prism, what are the biggest challenges that you face in your job?

“Last year I would have said the general awareness of the threat and the need to take action. However, I think that the risks associated with a cyber-attack are now starting to become clear to everyone. There is still a little way to go in Operational Technology (OT), as opposed to Information Technology (IT), but the Network and Information Systems Regulations and the Health and Safety Executive’s involvement are starting to condition thinking within the Energy industry.  That said, I believe that there is still an understanding gap which reaches up to board level and that our response as an industry to these threats is by no means mature. Sitting on Munich Reinsurance’s Experts Panel, we can see the difficulties that companies have in running cyber security expenditure through a cost/gains analysis with relatively little data.”

How does Cyber Prism protect offshore platforms and marine vessels from cyber security threats?

“Cyber Prism is a solutions company with a broad offering including risk management and regulatory compliance; network configuration and monitoring; incident response and restoration and workforce training and awareness.  We deal in the physical and behavioural, as much as the technical realm, either providing a holistic service or identifying and filling gaps in a client’s security profile.”

“We are bringing new capabilities to the market. Our Cyber Controls Superset subsumes 12 forms of regulation and guidance and 30 cyber controls to produce a client-specific control set as part of our risk management framework. We are in partnership with Restrata Solutions to provide an OT-capable incident response service and we are developing technologies which will open OT networks to safe monitoring. We are also in talks with Operational Cyber Professionals to provide Operational Technology - specific cyber awareness and training.  These partnerships are of huge importance to us. If a company does nothing else, it should train its people and put credible incident response in place.”

Can you explain the new shift in industry focus towards IOT/OT and how this will affect the skills required in the labour market in this sector?

“From my perspective, the GDPR and some high-profile incidents have highlighted information security, not least in the Finance sector.  Less focus has been placed upon the security of industrial control systems, which are increasingly connected as part of the Internet of Things (IoT).  Industrial control systems are somewhat different in nature from Information Technology, being based in large part on Supervisory Control and Data Acquisition (SCADA) and programmable logic.  We refer to this as Operational Technology or OT. Last year’s NISR (Network and Information Security Regulations) started to address OT security, particularly for those companies deemed to be Operators of Essential Services, but this is still a relatively new area.

The need to secure OT systems introduces certain requirements in terms of skills and experience.  OT systems perform essential functions all the time which impact safety and production. You cannot take them offline to work on them whenever you want to and it is easy to damage them if you don’t know what you are doing, with potentially serious consequences.  For this reason, we employ experienced ICS engineers who are also skilled in cyber security. As OT systems are linked to IT and communications systems, we require a very broad skill set. We are lucky to have some people with this experience and count our Technical Director as one of the top two in his field in the UK.”

In your view, how is the Energy industry currently positioned to tackle the emerging threat of cyber security?

“It is difficult to draw conclusions across the full spectrum of the Energy industry.  Some companies are clearly better prepared than others and we see both examples of best practice and significant gaps up and down the supply chain.  In fact, the supply chain poses its own challenges and many of us feel that more detailed guidance needs to sit under the NISR to allow operators to identify those support providers who are most likely to be good cyber partners, especially as increased automation requires greater information sharing and network connectivity.  Reputation is important in the Energy industry and I believe that a company’s ‘cyber reputation’ will be an important procurement consideration in the near future.

I see the involvement of the HSE as a potential positive.  Understanding cyber security as a health and safety issue is beginning to unlock some organisational benefits:  H&S has a strong culture (Which cannot yet be said of cyber security), works across the various divisions within a company and has in place risk analysis and management systems which can often be applied to cyber security.“

Given the skills shortage in this area, how should the Energy industry learn from and work with other sectors to address this shortfall?

My first thought here is that cross-industry cooperation is not only essential, but also very feasible.  There is widespread commonality of equipment and although guidance and practices can be somewhat stove-piped, a good cyber engineer should be able to work across several sectors.  We have engineers who can work in Health, Utilities and Shipping from one week to the next and we are starting to extend this flexibility to Energy.  

At the same time, a close partnership with academic organisations is essential.  It is important to understand whether we are going to train IT students to work on industrial control systems or engineering students to specialise in cyber – or both.  Either way, we need to give them industrial experience as rapidly as possible in order to fast track them into OT security.

What advice would you have for graduates looking to gain skills and experience in this emerging sector?

Understand that OT cyber security crosses a range of disciplines.  Look for early industrial experience in an environment where OT security is well-understood and in which you can interact freely with IT, Engineering, Operations and H&S.

How can companies best keep themselves informed as to the governmental guidance on this issue?

The NCSC provides up-to-date advice on its website and its Cyber Assessment Framework is well-recognised.  BEIS is the competent authority for the NIS Regulations in the Oil and Gas industry and it looks as though the HSE’s OG86 may provide more detailed guidance as it is updated in line with a better understanding of the application of cyber security measures.