In the past, energy companies typically kept the operational systems that run pipelines or power plants disconnected, or “air gapped,” from the broader internet, which meant that hackers could not easily gain access to the most critical infrastructure. But increasingly that’s no longer the case, as companies install more sophisticated monitoring and diagnostics software that help them operate these systems more efficiently. That potentially creates new cybersecurity risks.
“Now these systems are all interconnected in ways that the companies themselves don’t always fully understand,” said Marty Edwards, vice president of operational technology for Tenable, a cybersecurity firm. “That provides an opportunity for attacks in one area to propagate elsewhere.”
Many industrial control systems were installed decades ago and run on outdated software, which means that even finding programmers to upgrade the systems can be a challenge. And the operators of vital energy infrastructure — such as pipelines, refineries or power plants — are often reluctant to shut down the flow of fuel or power for extended periods of time to install frequent security patches.
Making things harder still, analysts said, many companies do not always have a good sense of exactly when and where it’s worthwhile to spend money on costly new cybersecurity defenses, in part because of a lack of readily available data on which types of risks they are most likely to face.
“Companies don’t always release a lot of information publicly” about the threats they’re seeing, said Padraic O’Reilly, a co-founder of CyberSaint Security, who works with pipelines and critical infrastructure on cybersecurity. “That can make it hard as an industry to know where to invest.”
Analysts said that the nation’s electric utilities and grid operators were typically further ahead in preparing for cyberattacks than the oil and gas industry, in part because federal regulators have long required cybersecurity standards for the backbone of the nation’s power grid.
Still, vulnerabilities remain. “Part of it is the sheer complexity of the grid,” said Reid Sawyer, managing director of the United States cyberconsulting practice at Marsh, an insurance firm. Not all levels of the grid face mandatory standards, for instance, and there are more than 3,000 utilities in the country with varying cybersecurity practices.