The Energy Sector Needs Security Professionals
The other evening, while assisting my wife in the kitchen — because I'm just that kind of guy — I turned on the microwave and ended up flipping a circuit breaker. It was a simple fix: Walk down the hall, open the fuse box, and reset the switch. Power in the kitchen was out for less than 30 seconds.
Over dinner, we discussed what we would do in the event of a prolonged blackout. Our conversation took a somber turn as we talked about the likelihood of cyberattacks that could take down the energy grid and what we might do to prepare. We threw some ideas around like storing water, keeping enough food on hand and so forth.
(Full disclosure: My real fear is no toilet paper — it will be worth more than gold.)
What really caused me to ponder such a situation was when the wife said, "I'm trusting that the energy companies have enough smart people to protect their power plants from hackers."
The truth is that our energy industry doesn't have nearly enough skilled cybersecurity professionals to guarantee the uninterrupted flow of energy. A 2017 survey by the Ponemon Institute found that nearly 70 percent of oil and gas companies suffered hacks last year that "exposed confidential information and disrupted operational technology." More bad news: Just 35 percent of respondents rated their cyber-readiness as high.
Although considered critical infrastructure, our energy grid isn't in the best condition. A big reason is age: 88 percent of coal plants were built between 1950 and 1990, our youngest oil refinery is more than 40 years old. We're doing a tiny bit better in terms of nuclear power generation: the oldest of the two generators at Tennessee's Watts Bar Nuclear Plant began operation in 1996, and the newer unit came online last year.
As the industry shifts to a smart grid and implements necessary upgrades, plants are increasingly connected to the internet, and simultaneously exposed to the risk of a cyberattack.
The energy industry's security situation is precarious for three additional reasons:
1. Not enough cybersecurity pros are trained in energy. Cybersecurity for the energy industry requires a dual niche-skill set: an understanding of IT, as well as of operational technology —knowledge of the machinery and equipment that produces and transmits energy.
2. Most new cybersecurity professionals don't consider taking a position in the energy sector. Salaries have also lagged behind those of the big-name tech companies like Google, Facebook, Amazon, and Microsoft. Compared to working at a tech-start-up, working in energy is viewed as being "old fashioned" and "not exciting."
3. The industry has also been slow to adopt cybersecurity. While money is part of the problem, the big hurdle is employees — the average age of power sector employees is 50 — and most haven't been conditioned to prioritize cybersecurity. Every employee needs to learn and implement best practices such as password protections, watching out for unauthorized USBs and other devices, spotting and avoiding phishing attacks and so forth.
With the potential for a malicious hack to our power grid, and some serious damage to our country, you would think that the Federal Government would do something. Well, they have. In 2013, President Barack Obama issued Executive Order 13636, requiring the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, to create a framework to reduce cybersecurity risk for critical infrastructure organizations.
The NIST has come up with some good ideas based on existing industry standards, guidelines and practices. Unfortunately, compliance with the framework is voluntary and, thus far, industry adoption has been uneven and oftentimes glacial.
Fortunately, every cloud has a silver lining, and in this instance, it's the number of open cybersecurity positions in the energy sector. If you have a bent for IT and machinery, then there isn't a better time to considering a career in the energy sector.
By 2025, the industry will need to replace 52 percent of its skilled engineers and technicians. In 2012 alone, public and private utilities hired 120,000 new graduates. The country's demand for energy continues to increase. The hundreds of millions of new computers and electric devices will account for 45 percent of power needs by 2020.
The constant warnings from the IT industry about the need for cybersecurity shouldn't be taken lightly, particularly when it comes to our energy grid. The field is ripe for young and enterprising cyber pros looking to make their mark. Keeping the lights on is a whole lot more important that securing social media accounts and credit card numbers.