The largest U.S. state-owned public power utility and a German energy company are launching a cybersecurity research lab to address “worsening” hacking threats to the power grid, according to an announcement today.
The New York Power Authority (NYPA) and Siemens Energy AG unveiled plans for a first-of-a-kind “Center of Excellence” aimed at improving the defenses of the operational technology (OT) that manages the power grid and other critical infrastructure.
The center will be run out of NYPA’s Advanced Grid Innovation Laboratory for Energy in White Plains, N.Y., and it will act as a “hub that will bring together leading public, private and academic institutions,” said Leo Simonovich, head of industrial cybersecurity at Siemens Energy, a power- and gas-focused business that spun off from industrial giant Siemens AG this month (Energywire, July 10).
One of the immediate issues the lab will focus on is the convergence between IT and OT systems, a risk that prompted a rare warning from the National Security Agency and the Department of Homeland Security last week (Energywire, July 28).
Cybersecurity experts have long warned of the dangers posed by merging business systems, where workers check email and browse websites, with computers that physically control equipment like circuit breakers and large power transformers. Hackers can gain initial access to IT systems before turning toward OT networks that are often left unpatched and vulnerable to common cyberattacks.
The ongoing coronavirus pandemic has further elevated the need to address the IT/OT convergence, Simonovich said, as more employees are working from home and connecting into the operating environment.
“All that means is that we need to do something quicker and we need to collaborate faster” to build out common defenses, Simonovich said.
The effort is currently funded with seed money but will aim to pick up federal funds and grants, according to Kenneth Carnes, vice president and chief information security officer at NYPA.
“We can develop and grow this to find answers for the industry in the sector far into the future about how to secure against these ever-changing threats,” he said.
The center will also develop training programs and work with universities to solve the growing gap in qualified cybersecurity experts, Carnes said. The workforce shortage is especially prevalent in smaller utilities that don’t have the resources to add in-house cybersecurity staff.
“Ultimately, we want to be the model that others can leverage,” Carnes said. “We want to be the test bed so that they don’t have to do this huge upfront burn, but we hand them a workable solution that’s cost-competitive.”
Costly data breaches
The announcement of the cybersecurity center came as tech giant IBM released a report singling out the energy sector for suffering particularly high costs from state-sponsored cyberthreats.
IBM Security found that recent data breaches have hit energy companies’ bottom lines the hardest compared with other industries.
The “Cost of a Data Breach Report 2020” looked at 542 organizations across 17 industries that have been hit by hackers from last August to April, and it revealed that the energy sector saw the highest jump in expenses related to each incident. The report relied on estimates provided by surveyed organizations.
“At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry’s talent shortage persists, teams are overwhelmed securing more devices, systems and data,” said Wendi Whitmore, vice president of IBM’s X-Force incident response and intelligence services team, in a statement.
Compared with last year’s report, the energy sector saw a 14% increase in breach costs, with an average of $6.39 million per breach, IBM said. The price tag of each energy-sector breach has nearly doubled since 2017, according to the report.
The higher costs are partially because state-sponsored threats cause more damage and are increasingly targeting critical infrastructure like the power grid, said Chris Scott, director of security innovation and remediation at IBM Security.
“Nation-states have funding to accomplish these goals, and so your risk levels are higher,” Scott said, “because that’s their job, to get into the environment.”