The numbers are telling. The average remediation cost from a ransomware attack in 2021 jumped to nearly $1.85 million per incident, more than double the average of $760,000 reported in 2020. This means that the average cost of recovering from a ransomware attack is now 10 times the size of the ransom payment.

These figures are especially notable for the utility, oil and gas industry. About 43% of these companies are agreeing to demands for ransom payments, mainly because these sectors have a great deal of legacy operational technology (OT) that can’t be updated or replaced easily. Victimized companies often feel compelled to pay the ransom rather than risk disruption to vital services.

Mitigating Risks

Compliance with recent security directives from the federal Transportation Security Administration (TSA) is only the first step in what is sure to be a continuing journey. Long-term strategies will be necessary to keep up with a quickly evolving threat landscape.

For operations-minded companies like distribution utilities, the number one priority is safe, reliable and efficient energy delivery services. Cybersecurity becomes an added layer of complexity in which compliance often involves a culture change, along with deploying new technology and new operational approaches. These organizations may not be well-equipped to respond with holistic strategies because the majority of them will require short-, medium- and long-term solutions, not just the immediate response to a cybersecurity breach or incident.

Utilities are among the most critical of critical infrastructure. Coming into regulatory compliance and being more cyber resilient against future attacks merits consideration of this four-step approach:

  1. Launch a critical asset analysis, vulnerability assessment and asset inventory.
  2. Develop system architecture and design for cybersecurity.
  3. Develop a mitigation plan.
  4. Fine-tune process management.

Step 1: Going Beyond Regulatory Compliance

The two TSA Security Directives 1 & 2 (May 2021 and July 2021), along with the recent Department of Energy announcements of a 100-day plan (April 2021), Biden executive order (May 2021) and the national security memorandum (July 2021), require the energy sector to enhance its cybersecurity posture through several measures. A major step in meeting the TSA directives include taking accurate inventory of all cyber assets, then conducting criticality assessments to determine which, if any assets meet the TSA’s definition of criticality. Following this, vulnerability assessments are required so that gaps are identified that might be exploited by attackers. This is the most critical of the steps because the industry struggles with having an accurate asset inventory of OT equipment, including many of the field assets. A top challenge for the energy industry today is disparate OT asset inventories.

Step 2: System Architecture and Design

As part of a vulnerability assessment, it will be necessary to gain an accurate understanding of system architecture, its interconnections and the relative levels of network security that it provides. This step is clearly a part of a robust threat management process, keeping in mind that the threat landscape is constantly changing. Utilities will want to be sure that tools can both alert them to any type of suspicious activity and provide the ability to quickly detect and respond and not be caught flat-footed. There must be an ongoing threat assessment that is part of an offensive and defensive posture. These must work in tandem.

A system design principle that creates different zones with progressively higher security levels is an approach that should be integrated into the OT network architecture. Each zone is set off by intelligent security devices that force communications to pass through screening protocols so that devices and communication protocols in a compromised zone do not in turn compromise devices or systems in other zones.

Typically, for example, intrusion detection/prevention systems are configured to allow or disallow traffic patterns. These systems start by actively scanning network traffic that is authorized for operation on those systems for malicious activities and known attack patterns. These access control devices, along with whitelisting systems, can baseline the systems/network operating state, and only those baselines can be used companywide.

Step 3: Risk Mitigation

Risk mitigation strategies will have an economic as well as an operational impact. A layered approach aimed at creating separation between OT and information technology (IT) networks is recommended as a best practice.

There are not clean lines of separation between any of these four steps. Risk mitigation strategies are closely related to detection posture, which is a function of system architecture and design. For example, an alert may come in that a particular system is being attacked from an external source. Conversely, some suspicious activity or traffic may be detected, perhaps because someone brought an unauthorized device and connected it to the network. The unauthorized device may have had some malware now starting to proliferate. Mid-incident is not a good time to begin deliberating over options. A clear course of action needs to be ready to be implemented immediately.

Step 4: Process Management

Robust cybersecurity involves three elements: people, technology and process. All of these elements must be effectively managed. If an insider threat exists, scenarios should be developed to recognize it, so you know exactly what that insider threat it looks like. How do you profile those threats?

Perhaps you have software, artificial intelligence or other technology being deployed to the field that enables data collection. That connectivity must be managed, particularly if some of the devices have connectivity to public wireless networks. It is fairly common for original equipment manufacturers (OEMs) to push out firmware or other types of software patches to respond to potential security threats. In these instances, the OEMs have demonstrated they can address issues quickly, or at least address them in the interim so that compromise levels are reduced.

Lost Time Is Part of Your Risk

Whether developing cybersecurity strategies for the short, medium or long term, the time to start is now. The elapsed time between the start of the process, when risks are identified, and later stages, when mitigation measures are put in place, is a risk in and of itself. With the quickly evolving state of cybercriminal activity, risk of being compromised goes up as the time gap in preparation widens.


Recent federal cybersecurity directives define standards of critical infrastructure for electric and gas utilities along with other energy services providers.

Read the Blog

Jerome Farquharson is managing director of the governance, risk, cybersecurity and compliance group at Burns & McDonnell. With a multidisciplined 25-year background in physical and cybersecurity, information systems and business advisory consulting, Jerome has worked on projects ranging from compliance, network design and implementation to risk assessment, program management and strategic planning.