In early 2021, Americans living on the East Coast learned a profound lesson about the growing importance of cybersecurity in the energy industry. A ransomware attack attacked the company operating the colonial pipeline, a major infrastructure artery that transported almost half of the liquid fuel from the Gulf Coast to the eastern United States. Knowing that at least some of their computer systems have been compromised and cannot determine the severity of the problem, the company was forced to resort to a violent solution: shut down the entire pipeline.
The interruption of fuel delivery had huge consequences. Fuel prices soared immediately. The President of the United States intervened in an attempt to assure panicked consumers and businesses that fuel would be available soon. Five days later, the company suffered millions of dollars in economic losses, paid a ransom of 4.4 million dollars and resumed operations.
It is wrong to treat this incident as a single pipeline story. In the energy field, more and more physical devices that manufacture and transport fuel and electricity across the country and the world rely on digitally controlled networked devices. The system designed and designed for simulation operation has been modified. The new wave of low-emission technologies—from solar energy to wind energy to combined cycle turbines—is essentially digital, using automatic control to extract every efficiency from its own energy source.
At the same time, the covid-19 crisis has accelerated the independent trend of remote operations and more complex automation. A large number of workers have shifted from reading the dial in the factory to reading the screen on the sofa. Anyone who knows how to log in can now change the powerful tools used to change the way power supplies are manufactured and routed.
These changes are good news-the world is getting more energy, fewer emissions, and lower prices. But these changes also highlighted various loopholes that caused the colony’s pipeline to stop suddenly. When hijacked by hackers, the same tools that make legitimate energy sector workers stronger become dangerous. For example, it is possible to issue a command to a device that is difficult to replace to shake itself into place, thereby rendering most of the functions of the National Grid unavailable for months.
For many nation-states, being able to press the button and create chaos in the economies of hostile countries is very desirable. The more highly connected and digitally managed energy infrastructure is, the more goals there are to provide this opportunity. Therefore, it is not surprising that more and more cyber attacks in the energy sector have shifted from targeting information technology (IT) to operating technology (OT), which directly controls the physical operations of the plant.
To meet the challenge, the Chief Information Security Officer (CISO) and its Security Operations Center (SOC) must update their methods. Compared with defending information technology, defending operational technology requires a different strategy and a unique knowledge base. First, the defender needs to understand the operating status and tolerances of their assets-the command to push steam through the turbine when the turbine is warm works well, but it may destroy it when the turbine is cold. The same command may be legal or malicious, depending on the context.
Even collecting the contextual data required for threat monitoring and detection is a logistical and technical nightmare. A typical energy system consists of equipment from several manufacturers, installed and modified for decades. Only the most modern layer is built with network security as a design constraint, and almost no machine language is compatible.
For most companies, the current state of cybersecurity maturity has many shortcomings. The near-omniscience view of IT systems is combined with large OT blind spots. The data lake swells with carefully collected outputs, which cannot be combined into a coherent, comprehensive operational state diagram. The analyst was exhausted from alarm fatigue when trying to manually classify benign alarms from consequential events. Many companies cannot even generate a complete list of all digital assets that are legally connected to their network.
In other words, the ongoing energy revolution is a dream of efficiency and a nightmare of security.
Protecting the energy revolution requires new solutions that can also identify and act on threats from the physical and digital world. The security operations center needs to integrate IT and OT information flows to create a unified threat flow. Given the scale of the data flow, automation will need to play a role in applying operational knowledge to alert generation-is this command the same as usual, or does the context indicate that it is suspicious? Analysts need extensive and in-depth access to contextual information. As threats evolve and companies add or eliminate assets, defense will need to evolve and adapt.
This month, Siemens Energy launched a monitoring and inspection platform designed to solve the core technology and capability challenges faced by CISOs responsible for protecting critical infrastructure. Siemens energy engineers have completed the work required to automate a unified threat stream, enabling their product Eos.ii to act as a converged SOC, unleashing the power of artificial intelligence to meet the challenge of monitoring energy infrastructure.
Artificial intelligence-based solutions meet the dual needs of adaptability and continuous vigilance. Machine learning algorithms trawl a large amount of operating data to understand the expected relationship between variables, identify patterns that are invisible to the human eye, and highlight abnormalities for human investigation. Because machine learning can be trained on real-world data, it can learn the unique characteristics of each production site, and iterative training can be used to distinguish benign and consequential anomalies. The analyst can then adjust the alert to observe specific threats or ignore known noise sources.
Extending monitoring and detection into the OT space makes it harder for attackers to hide-even if unique zero-day attacks are deployed. In addition to checking traditional signals such as signature-based detection or network traffic spikes, analysts can now observe the impact of new inputs on real-world devices. Cleverly disguised malware will still trigger red flags by creating operational anomalies. In practice, analysts using AI-based systems have found that their Eos.ii detection engine is sensitive enough to predict maintenance needs—for example, when bearings begin to wear and the steam input to output ratio begins to drift.
If done well, monitoring and detection across IT and OT should expose intruders. Analysts investigating alerts can track user history to determine the source of the anomaly, and then scroll forward to see what else has changed in a similar time frame or by the same user. For energy companies, increased accuracy means a significant reduction in risk-if they can determine the scope of the intrusion and determine which specific systems are compromised, they can have surgical response options to solve the problem with minimal collateral damage- —For example, closing a branch office and two pumping stations instead of a complete pipeline.
As energy systems continue to evolve toward hyper-connectivity and ubiquitous digital control, one thing is clear: a company’s ability to provide reliable services will increasingly depend on their ability to create and maintain strong and precise cyber defenses. Artificial intelligence-based monitoring and detection provide a promising start.
To learn more about Siemens Energy’s new AI-based monitoring and inspection platform, check out their The latest white paper of Eos.ii.
To learn more about Siemens Energy Network Security, please visit Siemens Energy Network Security.
This content is produced by Siemens Energy. It was not written by the editors of MIT Technology Review.