Intelligent CISO Issue 18 | Page 45

industry unlocked organisation, or ransomware could be used to demand a high pay-out. In the first half of 2019 alone, there were nearly 50 new advisories from ICS-CERT and a spate of new attacks, with LockerGoga stealing the headlines. Risk four: Third-party fragmentation There is significantly more third-party involvement in energy firms than in other companies, which leads to their Attacks can be deployed at a nation-state level to cripple a critical organisation. www.intelligentciso.com | Issue 18 networks becoming more distributed and fragmented. The fact that they have more ingress points than other verticals means that there’s a far wider attack surface for security teams to identify and to protect. Risk five: Different devices for different types of providers There are different types of energy provider – electric, gas, nuclear, etc – each with a specific mix of specialist devices. Therefore, it’s difficult to create a directive which would have relevance to the entire industry. The level of expert knowledge required within the energy sector’s security and engineering teams is high, making it difficult to achieve cross-departmental knowledge-sharing and collaboration. Risk six: Siloed teams IT security and OT engineering teams work in two different worlds. Their objectives are misaligned, their skillsets are not transferable and neither understands how to protect the other. To overcome this risk, organisations within the energy market need to unify management of their hybrid IT-OT networks. They can achieve this by eliminating silos between teams, gaining full network visibility and understand how both IT and OT impact each other as well as the risks that each introduces. In terms of protecting their OT devices, these companies shouldn’t just look at the software that runs the OT devices, but the management software used by the HMI (human-machine interface) as well. This software often remains unpatched and will likely run outdated versions of Windows. If these companies don’t act soon, they are not only putting themselves at risk financially but are also endangering the wider economy and safety of the UK citizens. The time to act is now. u 45