OT/IT Convergence: Why Vendor Risk Matters to Energy and Utilities
Ben Fagan | October 8, 2015
BitSight’s Third Annual BitSight Insights Industry Benchmark Report: Are Energy and Utilities at Risk of a Major Breach? discussed the growing convergence of operational technologies (OT) and information technology (IT). In short, this issue revolves around making operational technologies internet enabled. These technologies - which include generation, transmission, smart grid systems, meter reading and more - are increasingly being brought online to enable a smarter grid and systems.
The convergence of OT and IT makes a lot of sense: it allows these operational technologies to be more efficient. Nevertheless, this trend toward bringing operational technologies onto the internet presents major risks. SANS has highlighted this problem in a recent report noting, "building automation systems, rife with networked monitoring, control and reporting devices can be interrupted either by attacking the devices individually or disrupting the network itself, and automated pharmaceutical production can be halted by events as simple to implement as buffer overflow or denial of service attacks”. The consequences of disruption to the Energy or Utility sector could have serious consequences. Large insurer Lloyd’s has estimated that a cyber outage of the electric system could cause up to a trillion dollars of economic loss.
So what can the Utility and Energy companies do about this growing threat? Beyond implementing best security practices in-house, companies need to be hyper-aware of the risks posed by vendors. As evidenced in breaches affecting industries such as Retail and Finance, vulnerabilities within the networks of third party vendors can pose a major security threat to internal systems. As Utility and Energy companies begin to connect important systems to the internet, these companies need to be aware which vendors have access to their network and their sensitive data. Beyond thorough audits, penetration tests and questionnaires, this industry can implement continuous monitoring of all vendors in order to make sure that issues on outside networks are remediated - before they pose a threat to these increasingly connected systems that we rely upon every day.
What are central challenges for other industries?
Download the third annual industry benchmark report to learn what the key cybersecurity challenges are for the Finance, Federal Government, Healthcare, Retail, and Education sectors.