Energy companies are under pressure from all sides when it comes to the cyber security of their critical infrastructure. The spiraling skills gap is set against an increasingly dynamic risk landscape and more far-reaching legislation. Nevertheless, companies must quickly find ways to set up their own operational technology (OT) security expertise.
Author: René Krause, Rhebo GmbH
Increase in cyber attacks threatens OT networks
The potential risk for OT networks is clearly increasing. Cybersecurity expert Paolo Passeri has been collecting reports on cyberattacks since 2011 and analyzing them by affected sectors and forms of attack. Between 2017 and 2022, cyber incidents in the core sectors with OT networks (including production, energy and telecommunications) increased from around 300 to almost 1,400 per year1 (Fig. 1). For the first three quarters of 2023, he already counted 1,226 incidents. This corresponds to an increase of 34% compared to the same period in 2022.
In May 2023, almost two dozen energy supply companies in Denmark fell victim to various cyberattacks that exploited new vulnerabilities in firewalls. Several companies went offline. In at least one case, the substation control had to be switched to manual operation.
In February 2024, PSI Software, an established supplier of control technology systems, was the target of a ransomware attack. As a critical infrastructure, PSI reacted quickly and professionally to prevent the worst from happening. In addition, PSI customers have been able to protect the core of their control technology from security incidents since 2023 with the network-based intrusion detection system (NIDS) from Landis+Gyr’s OT security company Rhebo2. Nevertheless, the case has the potential of a supply chain compromise like Solarwinds in 2020, in which the actual target companies (including Microsoft and various US authorities) were attacked via the supplier and service company.
To date, the source of most security incidents has almost exclusively been found in corporate IT. Unfortunately, this is not the “all-clear” for OT networks, as OT is no longer an isolated entity. Today, industrial systems are closely integrated with corporate IT.
Alongside the connection to IT, OT itself has always been the weak spot in cybersecurity. In 2023, the US Cybersecurity & Infrastructure Security Agency (CISA) published a total of 415 advisories for newly discovered vulnerabilities in operational technology components (ICS advisories).
In vulnerability assessments in the OT networks of predominantly energy distribution network operators and municipal utilities, Rhebo, the cybersecurity company of Landis+Gyr, identified an average of 26 existing risk types per OT network in 2023 (Fig. 2).
Diese großflächige Risikoexposition der OT kollidiert mit dem bestehenden ˗̶ wenn nicht sogar eskalierenden - Fachkräftemangel in der OT-Sicherheit.
This broad risk exposure of OT collides with the prevailing – if not even escalating – skills gap in OT security. By 2022, the global gap between demand and availability of cybersecurity specialists had already widened by 26% compared to the preceding year. This trend continued in 2023. In Europe, there is a shortage of almost 348,000 cybersecurity experts, and 92% of all companies reported a lack of expertise on new cyber issues in their cybersecurity teams.
At present, the skills gap is not identified for the IT security and OT security areas separately. However, the distress level in OT security is likely to be even greater. After all, this area is still uncharted territory for the training market and most companies. And NIS2 keeps increasing the pressure.
NIS2 will suddenly increase the number of companies within the EU that are legally obliged to ensure cyber security to over 400,000. For Germany alone, this means a six-fold increase. These companies will need to build up OT security expertise within a short space of time and expand their cyber security management, especially in industrial infrastructures. In view of the statutory liability of management in this area, effective, practical and quickly implementable solutions are needed.
Despite the ongoing shortage of skilled workers, companies still have effective leverage to build up their OT expertise through managed services in the form of “training-on-the-job”.
The first step is to close major gaps in the short-term. External experts take over the operation of the OT intrusion detection system, analyze and assess any anomalies identified, inform security managers and operators within the company and provide recommendations for mitigation. Due to the sensitivity of industrial processes, the decision and implementation of mitigation measures remains the responsibility of the respective company. The security managers in the company can react quickly and in an informed manner.
The second step is to fill a position for OT internally. As a result, operation of the intrusion detection system is transferred to the company. From this point on, the external cybersecurity service team is available as a “sparring partner”. Security incidents or technical error states identified by the OT intrusion detection system are regularly assessed collectively and mitigation measures are coordinated. The aim is to transfer knowledge in a targeted manner in order to continuously build up internal expertise and to ensure that those responsible are OT security-savvy.
The step-by-step approach not only relieves the pressure of the new challenge. By focusing on knowledge transfer while building up in-house expertise, the long-term investment framework also remains predictable.
CTA: Read more about NIS2 regulations in OT networks