BitSight Insights

OT/IT Convergence: Why Vendor Risk Matters to Energy and Utilities

Ben Fagan | October 8, 2015

BitSight’s Third Annual BitSight Insights Industry Benchmark Report: Are Energy and Utilities at Risk of a Major Breach? discussed the growing convergence of operational technologies (OT) and information technology (IT). In short, this issue revolves around making operational technologies internet enabled. These technologies - which include generation, transmission, smart grid systems, meter reading and more - are increasingly being brought online to enable a smarter grid and systems.

Download the latest BitSight Insight Report The convergence of OT and IT makes a lot of sense: it allows these operational technologies to be more efficient. Nevertheless, this trend toward bringing operational technologies onto the internet presents major risks. SANS has highlighted this problem in a recent report noting, "building automation systems, rife with networked monitoring, control and reporting devices can be interrupted either by attacking the devices individually or disrupting the network itself, and automated pharmaceutical production can be halted by events as simple to implement as buffer overflow or denial of service attacks”. The consequences of disruption to the Energy or Utility sector could have serious consequences. Large insurer Lloyd’s has estimated that a cyber outage of the electric system could cause up to a trillion dollars of economic loss.

So what can the Utility and Energy companies do about this growing threat? Beyond implementing best security practices in-house, companies need to be hyper-aware of the risks posed by vendors. As evidenced in breaches affecting industries such as Retail and Finance, vulnerabilities within the networks of third party vendors can pose a major security threat to internal systems. As Utility and Energy companies begin to connect important systems to the internet, these companies need to be aware which vendors have access to their network and their sensitive data. Beyond thorough audits, penetration tests and questionnaires, this industry can implement continuous monitoring of all vendors in order to make sure that issues on outside networks are remediated - before they pose a threat to these increasingly connected systems that we rely upon every day.

What are central challenges for other industries?

Download the third annual industry benchmark report to learn what the key cybersecurity challenges are for the Finance, Federal Government, Healthcare, Retail, and Education sectors. 

Download the latest BitSight Insight Report "Beware the Botnets"

Suggested Posts

Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Cybersecurity in Europe is Improving: Thank You GDPR?

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay...


Security Ratings of U.S. Federal Agencies & Government Contractors

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key...


Subscribe to get security news and updates in your inbox.