Earlier this month, the United States indicted seven intelligence officers from the Russian Main Intelligence Directorate of the General Staff (GRU) on charges of hacking computers associated with anti-doping sports organizations. However, the hacking was not limited to the anti-doping organizations; allegedly it also extended to an international chemical weapons lab and a global electric company. This latest indictment is a potent reminder for energy companies that the global cybersecurity threat environment is rapidly developing as geopolitical instability increases, and the U.S. energy sector will increasingly find itself in the cross-hairs.
Given this emerging reality, energy companies should consider several practical tips to help prepare for and combat this persistent and growing threat.
First, it is important to remember that hope is not a plan; instead, companies should methodically plan for how to avoid a breach as well as what to do if a breach occurs. Typically, the worst case scenario is not the breach itself, as bad as a breach may be, but rather the compound problems that occur when breaches are poorly handled because they were poorly prepared for, including from a litigation, regulatory and reputational perspective.
Second, a cybersecurity plan should not be confined to protecting only personal data. Oftentimes, cybersecurity is coupled with privacy, which is critically important, but which is only part of the story for the energy sector. Increasingly, state-based actors are targeting critical infrastructure not to steal employee or customer data, but to cause disruption, or even destruction. In other words, cybersecurity plans and disaster recovery plans need to overlap, while recognizing that traditional disaster recovery plans cannot simply stand in for a cyber attack. Cybersecurity presents unique challenges, especially when facing a live, state-based adversary, so plans must be prepared accordingly.
Third, as the threat environment rapidly evolves, so too does the regulatory environment. Therefore, energy companies need to remain abreast of changes and chart a nimble course through the regulatory thicket. This year alone has seen the advent of Europe’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act of 2018 and the California Internet of Things law, among others. These regulatory requirements overlap, but there also are key differences which need to be addressed in a company’s regulatory strategy.
Fourth, in light of the threat and regulatory changes, these plans must be regularly practiced and updated. A company’s ability to handle a breach is proportional to how well it practices handling a breach. Practicing the plan in advance will help identify whether a control room located in New York has access to the same response plan and contact information that the operators in the control room in Pennsylvania do. Practicing the plan will also ferret out whether simple things like turning the lights off in a control room will disable the ability of the control room to read and execute the plan.
Fifth, it is important to keep in mind that high-tech problems often have low-tech solutions. A wallet card with key contact numbers and flashlights in control rooms can make the difference between a bad day and a tragic one—and these low tech-solutions cost virtually nothing.
Ultimately, preparing and planning for cyber threats and complying with rapidly evolving cyber regulations are the most important things that energy companies can do. As the latest indictment indicates, the Russian bear is coming, and energy companies do not want to be the proverbial slowest camper.
