Assets within energy companies can often be 20-30 years old
Speaking at the Cyber Security Show in London, Frederic Stalin, energy sector director at Lockheed Martin UK said that it sometimes comes across assets in energy which are 30 years old or more and said that any system which is 20-30 years old is different to modern expectation.
He said: “Energy is a critical part of infrastructure and energy is a politically interesting topic and close to general public, and everyone has an interest in targeting industry and it could be Government, industry or a potential attacker.
“They do not all include process-type attacks, but they can create real damage and can create damage to infrastructure and the cost is in high figures.”
He admitted that in terms of the issues, we only know the tip of the iceberg as often there is not reporting or awareness of everything which happens and a general trend is rising attacks on process control systems. “The perception of industry is of a rising number of threats and diffused threats from different angles,” he said.
Tony Atkins, regional director of Lockheed Martin Industrial Defender Solutions, pointed at the difference between IT and operational techology (OT), with the latter often being there for 20-30 years and where availability is key and a patch may take 12 months to be applied.
He said that the priority of OT is safety and availability compared to privacy of IT and we see ICS and SCADA all need to be protected and there are a lot of environments. Identifying three challenges: security of internal/external; compliance such as NERC CIP; and change management with miread of assets where you need to know about changing things that could compromise endpoints.
Atkins recommended pulling IT and OT together and adding intelligence to map the environment and change your approach accordingly. “Once you have got threat intelligence you can see how it aligns with your defences,” he said. “Go from a situation of reacting to containing damage, by taking threat intelligence and taking proactive steps.”
He concluded by acknowledging the rapid growth of challenges and more targeting of utilities, but said that there is room to accommodate intelligence and integrate IT and OT and do threat intelligence to develop posture for current and future challenges.