Cybersecurity’s constant evolution to ward off threats keeps companies on their toes — but a focus on people, technology and process can help with awareness and minimize the threat landscape.
During the Cybersecurity in Energy session on March 6 at CERAWeek by S&P Global, industry experts said there are more potential entry points for attack than ever. Attackers often go after the softest targets, which means the network is only as safe as its weakest link. And artificial intelligence (AI) will drive more evolution in the cybersecurity universe.
Nathalie Marcotte, senior vice president and president of process automation at Schneider Electric, said companies are digitizing to gain more visibility of their data and increase operational efficiencies. Digitization means potentially exposing that information to hackers.
“You cannot digitize and then have a shaky backbone on cybersecurity,” she said. Cybersecurity “goes hand in hand in the digital transformation journey they’re taking.”
With hacks now commonplace — on Feb. 28 the U.S. Marshals Service fell victim to a cyberattack — people are also much more aware of the need for cybersecurity now than they have been, she said.
“15 years ago, we had to tell our clients, ‘you are under attack.’ You don't have to have this conversation. Nowadays people are aware that they're at risk,” Marcotte said.
The key elements to focus on when it comes to cybersecurity are “the people, the technology and the process,” she said. “Good process, good training of your talent and (let the) more technical people deal with the technology, but between the three you can address it.”
Anton Dahbura, executive director of the Information Security Institute at Johns Hopkins University, said companies need to have better cultures that are security-aware from leadership down.
Cybersecurity awareness evolves
For a time, companies didn’t know to ask for cybersecurity, Juan Torres, associate laboratory director for energy systems integration at National Renewable Energy Laboratory (NREL), said.
Around the turn of the millennium, when NREL asked utilities why they were not requesting cybersecurity in their systems, “they said, ‘well, the vendors aren’t providing it,’” he said. When NREL asked vendors why they weren’t adding more security into their products, “they said, ‘well the customers aren’t asking for it.”
NREL re-approached the utilities, saying, “Now these vendors are telling us they're not putting this in because you're not asking for it. Why aren’t you asking for it?” Torres said. “And they said, ‘Because we don’t know how.’ That’s what it came down to. It was really eye-opening.”