Thwarting risks in the energy industry

In Lights Out, reporter and author Ted Koppel makes the case that the United States is unprepared for an attack on the electric power grid and that we have entered the era in which a laptop can be a weapon of mass destruction. Although the book covers a variety of potential threats to the grid, the primary focus is on cyberattacks. The pervasive nature of Internet connections has multiplied the vulnerability points almost beyond enumeration. The fragmented structure of the industry makes it difficult both to regulate and to protect.

The vulnerability of the grid was made evident during the blackout of 2003 when software failed to sound an alarm about power lines that had been compromised by hot weather and a high load. The resulting blackout began in Ohio and rippled through eight states and portions of Canada. Power was out for several days, disrupting communications, rail travel, air travel, business and other vital activities. Terrorism was initially suspected, but did not have a role.

Since then, the electric grid has become more robust. At the Department of Energy, the Office of Electricity Delivery and Energy Reliability has partnered with industry, academia and other government agencies to improve the electricity delivery system, conduct research and demonstrate smart grid technologies. As of 2015, about 15 million smart meters were installed, which help balance loads and manage demand, according to the Edison Electric Institute (EEI), an association of electric companies.

Nevertheless, concerns remain. The presence of devices on a grid connected to the Internet poses its own problems. According to Rob Joyce, who leads a division of the National Security Administration that tests for vulnerabilities, heating and cooling systems connected to the Internet are a threat that often goes unrecognized. Many such supervisory control and data acquisition (SCADA) systems are connected without sufficient precautions and many are on the power grid.

Risk ratings

A recent study by BitSight Technologies of nearly 10,000 organizations in six major industries stated that the energy and utilities sector showed greater vulnerability to cyberattacks than other industries or the federal government. BitSight uses external data about an organization’s network to assess risk and produces ratings of risk that are similar to credit report ratings, on a scale of 250 to 900. Data that is collected from outside the organization includes communications with botnets, malware distribution, e-mail server configuration and user behavior.

The products and services of BitSight monitor vendor risk, perform benchmarking for companies directly, assess risk for the purposes of cyber insurance and evaluate risk for merger and acquisition portfolio management for private equity firms. “Extended supply chains and outsourcing have made it more difficult to assess and manage risk,” says Stephen Boyer, founder and CTO of BitSight. “There is less visibility and less control.”

BitSight can determine whether a computer network has been compromised and for how long. “There are many ways to determine from the outside whether machines have been compromised,” Boyer says. “We can see the ongoing communications from a company’s IP addresses to external servers.” A typical vulnerability might be a network printer that has not had its software updated with new patches, so it can be used to attack another system. “If an organization detects a problem, responds to it and recovers, it scores well in our rating,” Boyer adds.

BitSight currently rates more than 40,000 organizations, allowing its customers to benchmark themselves against specific peers or competitors, as well as industry averages. While BitSight does not publicly comment on the performance of specific companies, it does analyze industrywide security trends.

“The oil and gas supply chain has a unique set of challenges and issues,” Boyer says. “They have facilities throughout the world, and everyone knows there have been major breaches in most industries. The boards of these companies are asking them how they will manage the risks. Our ratings can give them an idea of how they are doing and how they can get better.”

A broad look at risk

Knowledge management technologies are playing a significant role in helping to manage risk in the energy industry in other ways. Text analytics solutions are being used to analyze unstructured information, including internal documents and external news sources, to help detect potential problems, for example. Cogito Risk Watcher from Expert System is being used by the oil and gas industry to read and interpret large quantities of unstructured information to assess risk and develop business opportunities.

“A typical issue for risk management would be political instability in certain geographic areas,” says Luca Scagliarini, VP strategy and business development for Expert System. “Companies are interested in big economic or political movements but also in small groups that might have an impact on corporate risk.” Text analytics provides the ability to consume and interpret large amounts of text to look for indicators of problems in near real time. Expert System partners with big data companies such as Cloudera to build predictive models that can also integrate structured and unstructured data.

Some companies that in the past might have outsourced risk assessment now want a way to move the function in house. “We are seeing a trend to at least have a parallel process of acquiring the information that could suggest threats from outside sources,” Scagliarini says, “and to build an internal capability. Cost is also a factor, because with in-house capability, companies may be able to carry out the assessments at less expense than by outsourcing it.”

Expert System has invested years of work in an ontology that is tailored to the oil and gas industry. It has more than 2 million words and concepts, and 8 million relationships among them. The ontology allows Cogito to have broad application to the industry, from exploration to competitive intelligence analysis.

Another risk factor in the energy industry is the supply chain. “Protecting that part of the infrastructure is critical,” Scagliarini says, “because the supply chain is very distributed. The most common use case is anticipating risk in order to protect assets.” Specific examples include supplier risk, employee travel, pricing and site development.

“Monitoring of suppliers is expanding beyond the traditional credit report and police report to be inclusive of many different events,” he says. A similar methodology is used to anticipate events related to risk and fraud because there is a high correlation between the two. “Sometimes there are episodes of people connecting to the infrastructure to use the energy, and then a physical attack is launched,” Scagliarini adds.

Geolocation is part of Cogito’s capability, and customers are using it to create geolocalized information from the local press, blogs and social media to look for anomalies as a trigger for a risk. “Customers are monitoring not only their own geographic area, but also globally,” Scagliarini explains, “because bad actors will often perform copycat attacks.”