Catalyst with Shayle Kann - How cyber attacks could threaten the energy transition [partner content]
Episode Date: December 10, 2024Security experts often say there are two kinds of companies. “There are those companies that have been hacked, and those that don't know that they are being hacked – especially when we look at the... energy industry,” says Bilal Khursheed executive director of Microsoft's global power & utilities business. Khursheed works with companies to deploy digital technologies to speed up the clean energy transition. And he also focuses heavily on a threat that could derail the transition – cyber attacks. There are two reasons for this. One is the rise of internet-connected devices. There are now 15 billion IOT devices connected around the world, with a huge number of them on power grids. The other reason is sophistication. More attacks are now coming from organized groups, many of them with political motivations. “These aren't just your random hackers. These are highly sophisticated James Bond villain types that are targeting our energy systems,” explains Khursheed. In this episode, produced in partnership with Microsoft, Bilal Khursheed talks with Stephen Lacey about the evolution of cybersecurity threats in energy. They discuss how the threats are changing, their consequences for critical infrastructure, and how solutions are improving in the age of AI. This episode was produced in partnership with Microsoft. After listening to the podcast, you can read about how to navigate NERC CIP compliance in the cloud, learn how energy firms around the world partner with Microsoft on security, and dig into the 2024 Microsoft Digital Defense Report.
Transcript
Discussion (0)
This is a branded podcast from Latitude Studios.
Security experts often say there are two kinds of companies.
There are those companies that have been hacked,
and then there are those that don't know that they are being hacked.
And especially when we look at the energy industry.
Just last year in 2023 alone,
about 25% of all cyber incidents targeted critical infrastructure,
and the energy sector was among the top three.
Belal Khashit is the executive director of Microsoft's global power and utilities business.
He works with companies to deploy digital technologies to speed up the clean energy transition.
And he also focuses heavily on a threat that could derail the transition, cyber attacks.
To put it plainly, where does it fit into the overall scope of my role?
I would say cybersecurity is my role.
It's woven into every decision, every strategy, every solution that we deliver to protect and power our future.
Attacks on energy companies are increasing.
There are two reasons for this.
One is the rise of internet-connected devices.
there are now 15 billion IoT devices connected around the world.
A huge number of them on power grids.
This number is expected to exceed 30 billion within the next six years by 2030.
And every new connection in the grid creates a new vulnerability.
As utilities undergo more and more digital transformation,
you know, integrating smart grids and IoT devices, line sensors,
assets and substations that are connected to networks.
In essence, through this, we're adding more digital doors or digital windows, so to speak.
And the other reason is sophistication.
More attacks are now coming from organized groups.
Many of them with political motivations.
A lot of them, in some cases, are state sponsor.
In the last year, we've seen a 40% spike in nation-state attacks on critical infrastructure.
These aren't just your random hackers eating a bag of cool-ranched Doritos and sip it on Diet Coke and your mom's basement.
I mean, these are highly sophisticated James Bond villain types that are targeting our energy systems.
Utilities are digitalizing their operations quickly to better manage the grid.
But the convergence of information technology with operational technology also brings new risks.
In this episode, produced in partnership with Microsoft,
Bilal Khashid talks with Stephen Lacey about the evolution of cybersecurity threats.
They discuss how the threats are changing, their consequences for critical infrastructure,
and how solutions are improving in the age of AI.
It is a reality that the industry grapples with daily.
While we talk about smart meters and smart brids and smart appliances,
we also have to talk about smart security as well.
What are the different types of attacks that you're seeing
and what are the motivations of the attackers
if we are seeing more from state-sponsored groups?
Yeah, it's a great question.
I mean, these threats are becoming more and more complex day by day.
They've gone beyond the days of just simple malware or ransomware.
Today, the attacks are highly targeted.
They're organized and can be devastatingly precise as well.
So if we look at kind of the types of attacks that we're seeing,
I think first, you know, there's the ransomware attacks, you know,
where hackers will lock up critical systems and demand a ransom to release them.
You've seen a lot of this over the last few years with the colonial pipeline attack
that caused significant panic buying and fuel shortages,
but it's one that is happening on a regular basis.
And just imagine if that type of attack targeted a city's power grid.
It's to me a very chilling thought,
but a reality that we're preparing for.
Then there's the fishing or social engineering attacks,
which sound a bit less technical,
but are often the entry point for very larger breaches.
And if you look at humans in the link when it comes to this,
it's often reported that humans are the weakest link in the security chain.
And gaining access through fishing or disrupting some level of an internal network or critical system.
We've seen cases of this as well.
And the last element that I bring up is what we call APTs, which are advanced persistent threats,
which are some of the most dangerous, in my opinion.
These are the long-term stealthy attacks.
They're often state-sponsored where a hacker might gain access to critical infrastructure system and just lie in and wait.
You know, sometimes for months, even years, gathering intelligence or planting mechanisms that will disrupt services down the line.
And our own research here on Microsoft shows that we've seen a 40% increase in state-sponsored attacks on critical infrastructure.
And the energy sector is high on that list.
And what about the motivations piece?
Yeah, I mean, they range widely.
Financial gain is a big one, especially with ransomware.
But then there's also politically motivated attacks as well.
You know, state-sponsored groups will often look to destabilize another nations
or gain strategic advantage by targeting parts of their critical infrastructure.
Then you have the hacktivist angle where certain groups or certain ideological motives
aim to disrupt or make a statement by attacking an energy company that may not align with
their social values.
So, I mean, in short, we're seeing definitely more targeted, more sophisticated, more persistent,
a very wide array of motivations.
But ultimately, the end goal for us as an industry is resilience, right?
So ensuring that as these threats grow and change, that we stay a step ahead and protect
the backbone of our modern infrastructure.
You talked about the expansion of IoT devices.
We've got now tens of millions of sensors, inverters, smart meters, EV chargers, lots of IoT devices
in homes.
How is that changing the cybersecurity outlook and are there any particular vulnerabilities
within that really large class of technologies?
Yeah, Stephen, absolutely right.
There's tens of millions, hundreds of millions of these sensors.
inverters, EV chargers, IOT devices, line sensors.
And each device, no matter how small, represents an opportunity and a risk.
And on one hand, these devices enable smarter, real-time decision-making, and greater grid flexibility.
But on the other hand, they expand the attack surface exponentially and creates a web of entry points for potential threats.
And I'll give you a personal example.
A couple years ago, I installed a smart thermostat at home.
I'm sure you might even have one in your home.
And it's been great.
I could control the temperature from my phone.
It helped me save energy.
But then I got curious about how secure it really was.
And after doing a bit of research,
I found out that many of our smart home devices,
including thermostats, have very basic vulnerabilities that, in essence,
could be exploited by hackers.
That hit me.
If a single thermostat could be a target, imagine what happens when you multiply that by tens of millions of devices across a power grid.
And instead of my home, we're talking about critical infrastructure that supports the entire city.
So this means that we can't approach cybersecurity the same way anymore.
We have to move away from traditional perimeter defenses to adopt a zero trust mindset, assuming every device is a potential risk.
And, you know, tools like Microsoft Defender for IoT are critical here in providing that level of visibility and protection that's needed to really secure this rapidly expanding IoT ecosystem.
You mentioned an example, the colonial pipeline attack that was a ransomware attack.
You know, crippled infrastructure, it cut off supplies of gasoline and jet fuel to the southeastern U.S.
What did we learn from that attack in particular?
That was a massive wake-up call for everyone, for everyone not just within the oil industry
and fuel industry, but every industry.
A ransomware attack on a single company ended up disrupting fuel supplies across the U.S. and the
globe.
It caused panic buying, price spikes, significant operational disruptions.
And I think what it taught us was how interconnected
and vulnerable our critical infrastructure really is.
An attack on one part of the system doesn't stay contained.
Ripples across industries and communities.
And the risks are more systemic than ever before.
So one of the key takeaways for me was the importance of visibility and monitoring.
Colonial Pipelines' inability to isolate and recover quickly showed us that many organizations
lack the right tools and processes
to really handle these sophisticated cyber threats.
And even smaller incidents,
like in 2020, there was the attack on the Oldsmar
Florida water treatment plant.
It showed how a single compromise device
or this access point
can potentially lead to catastrophic outcomes.
In that case, attackers tried to manipulate
the chemical levels and the water supply.
It was the quick action of,
of a single operator that prevented a disaster.
So, I mean, I think this reinforces a very critical truth
that no system is too small or too isolated to be targeted.
The interconnected nature of our infrastructure
means that even minor vulnerabilities can lead to very major disruptions.
How are regulations evolving right now?
Are they keeping up with these threats?
And what are the most important standards for risk analysis?
and security controls in the power sector specifically.
Anytime regulation comes up, I either get a little woozy or I need a sip of my drink.
As we all do.
Yes, yeah.
I mean, regulations are certainly trying to keep up with these evolving threats, as we all know.
But the other thing is technology moves very fast, and sometimes legislation and regulation can
move slow.
So in the power sector, standards like NERCIP, which is,
the North American Electric Reliability Corporation's Critical Infrastructure Protection Standards,
or the IEC 62-443.
These are essential frameworks for managing cybersecurity risks.
These standards really set the guidelines for everything from risk analysis to access controls to incident response,
and ends up really forming the backbone of security compliance in the industry.
There's other bodies as well like NIST too and some other ISO standards,
but primarily speaking, it's those elements.
You know, it's achieving that full compliance is often easier said than done as well.
My father, who also spent his career in the utility business,
he always says that it's one thing to set a rule,
and it's another thing to make it work in real life.
I think that's what we're seeing to some extent in the utility space.
You know, many companies are facing hurdles and meeting,
some of the compliance requirements
because of outdated infrastructure
or resource constraints
or the lack of trained personnel
to implement some of these standards effectively.
And then there's elements of noncompliance as well.
Typically, that stems from a few issues.
Many utilities are dealing with legacy systems
that weren't designed for modern cybersecurity in mind.
So to follow a standard that was built
in 10, 15 years ago,
where cloud technologies were not being leveraged
and trying to shoehorn that into an environment that exists today
is a big challenge.
And this is an industry that handles risk very carefully
and very surgically, I would say.
And that could often mean a misinterpretation of some standards
or over classification of certain components
within their ecosystem to be at a higher level of compliance
than it needs to be.
So, I mean, there's many different reasons here in terms of some of the challenges that exist,
but ultimately, I think with legacy systems, some legacy standards, you know, the need for more training,
more security tools, ongoing monitoring, this creates a very difficult environment around compliance.
I have worked for both large and small organizations, and within the large organizations,
I've done some of the security training, and I've watched people around me skip through it
and try to get through it as fast as possible.
And so what you're saying is there are probably also human vulnerabilities too.
Maybe don't skip that training.
Absolutely.
I mean, it's so important.
It really is one of the most important things that the entire workforce needs to be very fluent in.
These cybersecurity risks exist across the entire ecosystem.
You know, the number one focus for these hackers are to, are for them to blend in, for them to be camouflaged, to avoid them being identified before they get entry into systems.
So that entry needs to be gated by every single person. Yes, we need security controls, we need tools, we need processes, but every individual who serves within the energy value chain, within that enterprise, needs to be a security champion.
Okay, so we've sufficiently made people a little nervous, which I think is appropriate for the scale of the threat here.
But let's turn our attention to solutions now.
Where are some areas where technology is actually staying ahead of the threat or keeping pace with it?
When I look at Microsoft specifically, I continually get impressed with how much we are doing to drive cybersecurity forward and the investments that we are putting in to build those new capabilities.
Our investment over the next five years of $20 billion has led to the development of some of the most advanced cybersecurity tools that exist in the world.
things like Microsoft Security co-pilot, for example,
this AI-powered cybersecurity assistant enhances threat detection
can analyze vast amounts of data to identify anomalies and potential threats
in real time, something that a human would not be able to do.
And then you can also look at how our security co-pilot
and Microsoft Sentinel, for example,
proactively detect and mitigate risks before they escalate.
And then you have Microsoft Defender for Cloud,
which provides that end-to-end protection and encryption and continuous monitoring.
So, I mean, there's so many components to it that need to be taken into consideration.
Some of these cutting-edge tools that have been developed and deployed are serving as that primary defense mechanism.
The other element is, you know, some of these edge processes that are occurring much more closer to the source.
You have to look at leveraging some level of security controls to,
address or minimize those potential attack vectors.
So that decentralized approach that IOT or Azure IoT Edge brings is able to respond to those
threats very effectively.
And what about companies that are adopting these technologies, these approaches to stay ahead
of the threat?
Do you have any particularly good customers or partners that offer a good case study?
Well, Stephen, I could tell you, but then I'd probably have to kill you.
We don't want everyone to know who's using what, but,
No, I'm just kidding.
Yes.
But in all seriousness, I think one standout example for me is Uniper.
You know, Uniper is a leading international energy company based out of Germany.
They operate, I think, 22 or 23 gigawatts of power generation capacity across Europe.
So they're one of the world's largest power producers.
Very diversified portfolio.
significant number of market transactions.
And they've embraced in a very bold cybersecurity strategy,
one that I feel is cutting edge and kind of industry leading,
leveraging generative AI components,
leveraging co-pilot for Microsoft 365 across their entire workforce,
which is a significant milestone in their digital transformation journey.
But also by integrating co-pilot, they've been able to,
to really empower their employees to work smarter
and a more connected and drive collaboration and productivity to new levels.
And that strategic move not only streamlined operations,
but it also fortified their cybersecurity posture.
So it enables them to stay ahead of some of those evolving threats.
So I think that proactive type of an approach that Uniper really exemplifies
leveraging those cutting-edge technologies
that can drive innovation,
drive higher degrees of resilience,
has real tangible impact.
And what about over the long-term,
if you think about some of the technologies
that you outlined,
how are they shaping the long-term picture
for cybersecurity,
particularly in AI?
Well, when we talk about the future of cybersecurity,
you know, I can,
I often think about sci-fi references,
I don't know if you remember the movie Minority Report with Tom Cruise.
I think it was sometime in the early 2000s,
but it was a great movie.
A movie that was very futuristic about a specialized crime unit
within a police force that used advanced technologies and psychics
to predict crimes before they happen.
And I feel like that's kind of what we're building now at Microsoft
to take these concepts further
with AI and predictive analytics
advancing to a point
that seemed purely fictional
just a few decades ago,
but it's a major trend moving forward
and that we're focusing in on
at Microsoft is predictive threat intelligence.
So I imagine being able to see
the digital fingerprints
of a potential attack
before as it's forming.
And our investments in AI
specifically like security,
co-pilot. I mean, this is what allows security teams to analyze huge amounts of global threat data
in real time, spotting those patterns, those vulnerabilities that humans alone would just simply miss.
Another trend that's on the rise is quantum computing and its implications for cybersecurity.
And our Microsoft research team is actively exploring how quantum technologies could both enhance
encryption and create new challenges as well. So in a few years,
quantum encryption could be the standard for protecting data,
taking security beyond anything our current systems could really handle.
And lastly, what we're seeing is a future where cybersecurity becomes fully decentralized.
With the expansion of IoT and edge computing, Microsoft's vision is a world where every connected device has its own layer of protection,
you know, kind of creating this sort of self-defending network.
So really think of it as every device being its own security guard to an extent,
you know, able to detect and respond to threats independently,
even if it's part of a much larger grid.
So, I mean, sounds a little sci-fi in many ways,
but these are very real technologies that are shaping the future of cybersecurity.
And we're starting to see the momentum and that transformation.
happen as we think about how we handle and respond to threats on a global scale.
Your role is to anticipate bad things before they happen. What makes you feel good? If you look at
the evolution of process and culture and technology, what makes you feel good about where we're headed?
There's many things. It's not all doom and gloom, but there are many things that do make me feel
confident and safe moving forward.
One, we talked about a lot of the solutions around more sophisticated AI threat detection
tools, some of the incredible security stack that Microsoft brings to market as well,
the investments that we're seeing in R&D.
But I think ultimately what gives me the most level of confidence is I think that we have
an alignment that exists across industry, that in many cases can be very difficult to
try to find in a different circumstance.
Everybody across the industry, whether you're a CEO, C-O-O-C-I-O, and other stakeholders like
regulatory agencies, research labs, academia, every party, every stakeholder across the energy
ecosystem is aligned in on this, that this is a significant risk, that we need to handle this
risk in a different way moving forward.
And I think what we're seeing more and more going forward is a very sincere willingness
to rethink how we approach cybersecurity and to ensure that we work collectively as a team
because it's going to require a broad set of partners and stakeholders to achieve some of these
outcomes.
And there's that commitment across the board to move together and leverage the best of what
organizations have to bring and build a more secure, resilient future,
leveraging the most sophisticated cybersecurity measures possible.
Well, Belal, thank you so much.
This was a really helpful look at cybersecurity threats and opportunities in the energy space.
Really appreciate it.
Thank you for having me on, and thank you for letting me geek out a bit on cybersecurity.
I hope we've inspired some of our listeners to at least change their passwords.
And if they do that, I'll call this podcast a win.
is the executive director of Microsoft's global power and utilities business.
This episode was produced in partnership with Microsoft.
To learn more about how Microsoft is working with utilities and other energy companies
to create a safe, secure energy transition, go to Microsoft.com
slash industry slash energy.