module 6 and feedback

Topic

Institution Affiliation

Student Name

Date

Cyber-security in the Energy Sector

Introduction

The introduction section of my research paper will be divided into two main areas: research problem Identification and literature review on research phenomenon.

Research problem identification

The section will identify the phenomenon under study and why it a problem.

Research Problem Identification

As technology advances and so does cyber-crime. As of the moment most industries rely on information technology to offer good services and in a fast manner. The fact that most industries rely on information technology systems in their daily operations implies that the industries are at risk of cyber-attacks (Karchefsky & Rao, 2017). Cyber-criminals have picked on that an attack on infrastructure that provides social amenities is more profitable for them than attacks on businesses. This is not only because an attack on social infrastructure might lead to a financial and reputational loss but it might lead to a societal collapse. There are two industries that have a massive societal impact if affected by cyber-crime. The two industries are the utility industry and the energy industry. This study focuses on the energy sector. The primary goal of this study is to identify measures that can be put in place to improve cyber security in the energy sector.

The energy sector contributes a lot to the way people live; make their income and how the economy survives. An attack on an energy provider or distributor can easily collapse an economy and consequentially a country if there is no effective backup. It is of utmost importance that cyber-security is present and enforced in the energy sector more so considering the most likely impact of a security breach in the sector.

Stakes in the energy sector are high as cyber-security is entangled with environmental concerns and public safety as well. A successfully cyber-attack on an energy provider or distributor has the potential to hinder business efficiency and jeopardize the safety and the well-being of the public. Cyber-security specialists understand that no matter how good security is, it does not mean an organization or institution is safe from attacks; all organizations regardless of their size and security protocols are vulnerable and are at risk of defeat. It is advisable that organizations, institutions more so in the energy sector have proper cyber-security protocols backed up with security principles in place to prevent a cyber-attack

Literature review

Looks at supporting articles that explain the research phenomenon or that provide solutions to the phenomenon

Literature review on cyber-security practices in the energy sector

Two articles were reviewed for the primary purpose of providing insight into cyber-security practices adopted in the energy sector. The information gotten from the review would help reveal the state of affairs in the sector as far as security is concerned. In addition, the information will shed light on the areas of concerns.

Energy Industry Cyber-security Report 2015

The first article to review is an energy industry cyber-security report that was published in 2015 by the Scottmadden management consultants. The report focused on four main areas. The first area was the industry’s perception of cyber risks. The second area of focus was the industry’s ability to mitigate cyber risks. The third area of focus was the cyber-security strategies and practices being used in the energy sector (Scottmadden.com, 2015). The fourth area of focus was on existing cyber-security obstacles and concerns in the energy sector.

According to the report, there were five main findings. The first finding was that most organizations and companies in the energy sector have in place cyber-security programs and they believe that their programs are effective at preventing cyber-attacks. The second finding was that most of the organizations and companies in the energy sector have experienced a security breach that has resulted in the disruption of service provision, disruption of operations or data loss. The third finding was that insiders or employees of organizations or institutions in the energy sector pose the biggest security risk.

The fourth finding was that most organizations and institutions in the sector acknowledged that cyber-security was the biggest risks in the sector and that they expected their IT and Operations technology assets to be attacked. The Fifth finding was that most organizations in the industry were lacking real-time actionable intelligence in cyber-security and that they rely on a unified security and controls framework. According to the report, cyber-security in most organizations in the energy sector was the responsibility of the operator of the control systems and the information security officer.

Managing cyber risk in the electric power sector

The second review was on an article published in January 2019 and it touched on the state of affairs in the energy sector; the risks in the industry, the practises and the challenges in the sector. The article starts by noting that the power sector is the most targeted sector in the world. According to the article, if there was a power outage for a long period of time, people would become immobile, they would not have the ability to communicate, and transport and the financial sector would be greatly hampered (Andrew et al., 2019).

The article lists internal threats such as disgruntled contractors, disgruntled employees and human error as the top risks for cyber-security. In addition, organized criminals have also joined the risk to be the top threat for cyber-security in the sector being discussed. For insiders, the biggest impact has been felt in the destruction of critical infrastructure, damage to reputation, and threats to life. For organized criminals, the biggest impact has been felt in the theft of customer data and in financial fraud. Most recent attacks on the power sector by organized cyber-criminals target the industrial control systems with the aim of doing damage on the power grid.

According to the article, there are three main areas that are the focus of cyber-security in the sector being discussed. The main areas are the people, the processes and the technology. There are three practices that target people that are used by many organizations in the energy sector. The first practice is the screening of employees and vendors for malicious actors. The second practice is the implementation of security awareness training for all employees. The third practice is the developing of forensic training and incident response for key operation technology and information technology personnel for the purposes of preventing future attacks and reducing the impact of future attacks should they not be prevented.

There are also three practices that target the processes that are used by many organizations in the energy sector. The first practice is documenting and restricting access to high risk cyber and physical interfaces as well as control systems. The second practice is the identification and designing of triage protocols for the purposes of identifying potential cyber-attacks risks or threats. The third practice is the expanding of the security protocols not only to cover the organizations but also key supply chain partners such as suppliers.

According to the article, there are as well three practices that target the technology that is used by many organizations in the energy sector. The first practice is the separation of high-risk processes from the business network. The second practice is the use of an automated monitoring system for the main purpose of identifying potential security breaches. The third practice is the identification of alternative suppliers with compatible technology in the case that the primary supplier or their systems are hit by a cyber-attack.

Identified security principles in the energy sector

There are three main principles that have been identified to be the most effective at enhancing cyber-security in the energy sector. The first principle is the use of advanced access management. It is no longer secure to only use a username and a password for accessing systems considering the impact of a cyber-security breach (Saleem & Johnson, 2017). The use of advanced access management systems such as OTP and an access monitoring system will help secure systems from cyber-attacks. The main challenge of implementing the above principle is in the sharing of passwords or access by insider elements.

The second principle is data encryption. Critical data can be stolen from servers as well as when in data is in transit and for that reason, it is important to secure data. For the energy sector, it is recommended that the data encryption principle addresses the main modes in which data can be stolen. Data should be encrypted through EIT, encryption in transit, and through EAR, encryption at rest. All data stored and shared should be encrypted using the two above encryption methods as it is hard to derive information from data encrypted in a combination of the two encryption methods (Rehm et al., 2017). The biggest threat to the implementation of the above principle is that it is costly and time-consuming to encrypt all data using both encryption methods.

The third principle is the use of a compliance business framework. Since it is already known that insiders are one if not the main threat to cyber-security it is crucial that organizations in the power sector develop a compliance business framework that touches on the security policies, guidelines, and principles for the entire company. The framework will help limit the insider threat in cyber-security. The main challenge in implementing this principle lies in coming up with policies that touch on all employees while at the same time ensuring that the policies help in security purposes.

References

Andrew Slaughter, Suzanna Sanborn, Paul Zonneveld & Steve Livingston, (2019). Managing cyber risk in the electric power sector. Retrieved from https://www2.deloitte.com/insights/us/en/industry/power-and-utilities/cyber-risk-electric-power-sector.html

Karchefsky, S., & Rao, H. R. (2017). Toward a Safer Tomorrow: Cybersecurity and Critical Infrastructure. In The Palgrave Handbook of Managing Continuous Business Transformation (pp. 335-352). Palgrave Macmillan, London.

Rehm, G. B., Thompson, M., Busenius, B., & Fowler, J. (2017). Mobile Encryption Gateway (MEG) for Email Encryption. arXiv preprint arXiv:1711.02181.

Saleem, D., & Johnson, J. (2017). Distributed Energy Resource (DER) Cybersecurity Standards (No. NREL/PR-5C00-70454). National Renewable Energy Lab.(NREL), Golden, CO (United States).

Scottmadden.com, (2015). Energy Industry Cyber-security Report. Retrieved from https://www.scottmadden.com/wp-content/uploads/2015/07/2015-ScottMadden-Energy-Industry-Cybersecurity-Report_2015-0715.pdf