WORLD-GENERATION NOVEMBER/DECEMBER 2016
12
With global cyberthreats that
continue to increase in frequency and
scale, the need for cybersecurity and
resiliency is one of the most serious
issues facing energy and utilities
organizations and their boards of
directors today. Protecting confidential
customer information and corporate
assets is critical to building a trusting
relationship with customers, upholding a
company’s brand, and for the energy &
utilities industry in particular, protecting
national security.
SECURINGTHE SMART GRID MUST GO
BEYOND BRAND REPUTATIONTO ISSUES
OF PUBLIC SAFETY
As grid modernization projects are
adopted, the importance of incorporating
a strong cybersecurity program from the
inception cannot be overstated. The
energy and utilities sector handles vast
amounts of proprietary customer data
such as bank account details and credit
card numbers. This data, when combined
with the critical mandate to protect
national infrastructure from external
threats, underscores the imperative for
organizations to double down on security
measures.
Vulnerability to cyberthreats grows
as an increase in systems results in more
potential entry routes to customer data.
This is especially true as energy and
utilities companies roll out web-based
solutions such as online billing and
Internet of Things (IoT) devices like
smart meters to deliver efficiencies and
enhance the customer experience.
Therefore, managing risk while
disrupting traditional business models
must go hand in hand.
Organizations must understand the
security risks and implement plans and
systems to safeguard all devices, sensors
and things connected to their networks.
The goal is to help maintain a safe
environment for customer information
while also helping protect public safety.
So, what are some of the big
cybersecurity issues keeping CIOs and
CSOs up at night? In this article, I’ll share
a snapshot of the cybersecurity landscape
within the backdrop of Verizon’s annual
Data Breach Investigations Report, and
will also explain what this means for
businesses today, including the critical
need for strong cybersecurity strategies
and plans. In addition, I’ll offer
recommendations on steps that
organizations can take to strengthen
security to better serve their customers,
including today’s highly digital and
mobile consumer population.
DBIR
A recent picture of the cybersecurity
landscape will help to set the stage for
discussing the major threats to the
energy & utilities industry. Verizon’s Data
Breach Investigations Report (DBIR),
now in its ninth year of publication,
reflects incident data from contributing
organizations across the globe to expose
what’s happening on the cyber
battlefields. The 2016 DBIR provides
insights based on more than 100,000
incidents, including 2,260 analyzed
breaches, from across 82 countries.
The major plot line of this year’s story
involves cybercriminals exploiting
common errors and human weakness in
pursuit of financial gain. Consider the
following DBIR statistics:
89% of confirmed breaches had a
financial or espionage motive;
63% of confirmed breaches involved
leveraging weak, default or stolen
passwords; and 30% of phishing messages
were opened in 2015, and 12% of targets
clicked on the malicious attachment or
link.
In addition, the DBIR found that most
attacks exploit known vulnerabilities that
have never been patched despite patches
being available for months, or even years.
In fact, the top 10 known vulnerabilities
accounted for 85% of successful exploits.
Essentially, basic defenses continue to be
sorely lacking in many organizations.
How does this all apply to the energy
and utility sector specifically? According
to Verizon’s research, the vast majority of
security incidents across the energy &
utilities industry involved cyber espionage
(38%) in which state-affiliated actors
breach an organization to target
intellectual property; crimeware (19%)
which is any use of malware to
compromise systems, and is typically
opportunistic and motivated by financial
gain; and, Denial-of-service (12%) which
is the use of botnets to overwhelm an
organization with malicious traffic and
bring operations to a halt.
(continued page 21)
CYBERSECURITY SNAPSHOT
BY MICHAEL KOTELEC,
GLOBAL PRACTICE LEADER,VERIZON ENTERPRISE SOLUTIONS’ENERGY & UTILITIES PRACTICE
PERSPECTIVE