Earlier this year, the European Commission is released funding for key European energy infrastructure projects - a crucial part of enabling the delivery of energy infrastructure in the transition to a climate neutral economy.

Now, more than ever, we need to ensure that all essential elements work together and balance functionality, sustainability, and security.

能源部门在现代经济的运行中一直发挥着至关重要的作用。为了提供增强的、可持续的和更廉价的能源服务，更需要数字设备、平台和电网的连接。

能源行业技术和工业发展的稳步增长，以及对互联和数字化的日益重视，使能源行业成为网络攻击的前沿。数字化可能是优化能源行业的关键，但数字化创新的驱动力正在引入新的风险。

埃森哲说报告在确保数字经济的安全方面，79%的组织回应称，“采用新技术和新兴技术的速度快于解决相关安全问题的速度。”

在能源领域average cost (per organisation) of cyberattackswould rise from $13.2 (2017) to $13.8 (2018) - representing a 4% increase over this period. While cost or growth may not be as high in the Banking, Life Sciences or Travel sectors, as part of critical of economies and national infrastructure, the impact of a cyber-attack can have major consequences and it’s important that energy organisations consider a measured cybersecurity strategy as a top priority.

We reached out to Raj Samani, Chief Scientist and Fellow atMcAfee, to find out more about the challenges, risks, and scenarios for cybersecurity in the Energy sector.

Question: The energy and the utility sector constitute a crucial part of infrastructure, are there any unique challenges which the sector faces?

拉吉萨马尼：传统上，我们一直观察到这一领域特有的挑战，不仅是持续可用的需求，而且系统的本质要求一套关键技能，而这些技能在传统网络安全技能市场中不一定是现成的。

Q： 你能举一个可能有风险的例子吗？

RS:We have seen some of these played out in real life – and perhaps quite worryingly, not too long ago. For example, the obvious examples would be Nantanz nuclear site in Iran, which suffered from a Stuxnet worm infection – as first uncovered in 2010. Ten years later, there have been other examples targeting Operational Technologies (OT), for In 2015, we also saw a significant attack against the Ukrainian Power Grid as the political situation escalated. Both examples demonstrate the impact of such risks being realised.

最近，我们还看到了勒索软件对关键国家基础设施（CNI）的威胁——这方面的一个例子是RagnarLocker对能源部门的攻击，今年早些时候要求支付1170万英镑的赎金，以换取10Tb的私人信息。虽然这些攻击集中在IT网络上，但今年我们目睹了勒索软件追查另一家公司的生产设施。

Q： 在covid/后covid环境中，这些场景会发生变化吗？

RS：进攻性网络攻击战术的使用并不严格要求物理交互。当然，有了适当的空气间隙，可能需要使用物理媒体，如USB入口点向量，但从广义上讲，网络犯罪是一个不受COVID和经济形势负面影响的部门。

尽管值得注意的是，特斯拉勒索软件攻击的挫败是以USB作为初始载体进行的，因此这种威胁肯定仍然存在。

Q： 如何管理能源供应链中的安全风险？

RS:可以采用的一种方法是利用数字物料清单（DBOM）。这可以为参与CNI的组织提供必要的透明度，但这可以而且应该得到更广泛的应用，以确保全面的最佳实践。

Q： 工业控制系统应该多久测试一次漏洞？

RS:Continuously, although the ‘how’ is still certainly very debateable. For example, testing systems for vulnerabilities in a responsible way should be something that is not only encouraged but also rewarded, through avenues such as bug bounty programmes. What is perhaps more challenging is the testing for the interconnectivity between production systems, particularly within environments that demand constant uptime.

Q： 公司应该有什么样的系统和控制措施来缓解内部威胁？

RS:The routine monitoring of anomalies is imperative. Organisations must ask themselves: ‘Are there any behaviours that are outside the normal practice?’ This is critical and needs to also apply to attempts to access assets that the insider is not authorised to access.

Q： 您认为目前是否有适当的控制措施来检测和应对违规行为？

RS:Within Operational Technology (OT) environments, the use of technologies that are unlikely to result in a potential outage are key. Consider looking at data diodes for example; they are critical for maintaining segregation between different network segments. Also technologies that are certified for use by automation vendors, so White Listing technology also.

所有这些都需要特别好地理解生产环境，以便只授权（白名单）已知事件，因此治理是至关重要的。

Q： 如何保护客户的个人资料？

RS: With reasonable measures! I realise that this is a legal term, but it is critical. Any organisation has to challenge itself as to whether the measures it has implemented meets this very subjective terminology.