In early 2021, Americans living on the East Coast got a sharp lesson on the growing importance of cybersecurity in the energy industry. A ransomware attack hit the company that operates the Colonial Pipeline—the major infrastructure artery that carries almost half of all liquid fuels from the Gulf Coast to the eastern United States. Knowing that at least some of their computer systems had been compromised, and unable to be certain about the extent of their problems, the company was forced to resort to a brute-force solution: shut down the whole pipeline.
The interruption of fuel delivery had huge consequences. Fuel prices immediately spiked. The President of the United States got involved, trying to assure panicked consumers and businesses that fuel would become available soon. Five days and untold millions of dollars in economic damage later, the company paid a $4.4 million ransom and restored its operations.
It would be a mistake to see this incident as the story of a single pipeline. Across the energy sector, more and more of the physical equipment that makes and moves fuel and electricity across the country and around the world relies on digitally controlled, networked equipment. Systems designed and engineered for analogue operations have been retrofitted. The new wave of low-emissions technologies—from solar to wind to combined-cycle turbines—are inherently digital tech, using automated controls to squeeze every efficiency from their respective energy sources.
Meanwhile, the covid-19 crisis has accelerated a separate trend toward remote operation and ever more sophisticated automation. A huge number of workers have moved from reading dials at a plant to reading screens from their couch. Powerful tools to change how power is made and routed can now be altered by anyone who knows how to log in.
These changes are great news—the world gets more energy, lower emissions, and lower prices. But these changes also highlight the kinds of vulnerabilities that brought the Colonial Pipeline to an abrupt halt. The same tools that make legitimate energy-sector workers more powerful become dangerous when hijacked by hackers. For example, hard-to-replace equipment can be given commands to shake itself to bits, putting chunks of a national grid out of commission for months at a stretch.
For many nation-states, the ability to push a button and sow chaos in a rival state’s economy is highly desirable. And the more energy infrastructure becomes hyperconnected and digitally managed, the more targets offer exactly that opportunity. It’s not surprising, then, that an increasing share of cyberattacks seen in the energy sector have shifted from targeting information technologies (IT) to targeting operating technologies (OT)—the equipment that directly controls physical plant operations.
To stay on top of the challenge, chief information security officers (CISOs) and their security operations centers (SOCs) will have to update their approaches. Defending operating technologies calls for different strategies—and a distinct knowledge base—than defending information technologies. For starters, defenders need to understand the operating status and tolerances of their assets—a command to push steam through a turbine works well when the turbine is warm, but can break it when the turbine is cold. Identical commands could be legitimate or malicious, depending on context.
Even collecting the contextual data needed for threat monitoring and detection is a logistical and technical nightmare. Typical energy systems are composed of equipment from several manufacturers, installed and retrofitted over decades. Only the most modern layers were built with cybersecurity as a design constraint, and almost none of the machine languages used were ever meant to be compatible.
For most companies, the current state of cybersecurity maturity leaves much to be desired. Near-omniscient views into IT systems are paired with big OT blind spots. Data lakes swell with carefully collected outputs that can’t be combined into a coherent, comprehensive picture of operational status. Analysts burn out under alert fatigue while trying to manually sort benign alerts from consequential events. Many companies can’t even produce a comprehensive list of all the digital assets legitimately connected to their networks.
In other words, the ongoing energy revolution is a dream for efficiency—and a nightmare for security.
Securing the energy revolution calls for new solutions equally capable of identifying and acting on threats from both physical and digital worlds. Security operations centers will need to bring together IT and OT information flows, creating a unified threat stream. Given the scale of data flows, automation will need to play a role in applying operational knowledge to alert generation—is this command consistent with business as usual, or does context show it’s suspicious? Analysts will need broad, deep access to contextual information. And defenses will need to grow and adapt as threats evolve and businesses add or retire assets.
This month, Siemens Energy unveiled a monitoring and detection platform aimed at resolving the core technical and capability challenges for CISOs tasked with defending critical infrastructure. Siemens Energy engineers have done the legwork needed to automate a unified threat stream, allowing their offering, Eos.ii, to serve as a fusion SOC that’s capable of unleashing the power of artificial intelligence on the challenge of monitoring energy infrastructure.
AI-based solutions answer the dual need for adaptability and persistent vigilance. Machine learning algorithms trawling huge volumes of operational data can learn the expected relationships between variables, recognizing patterns invisible to human eyes and highlighting anomalies for human investigation. Because machine learning can be trained on real-world data, it can learn the unique characteristics of each production site, and can be iteratively trained to distinguish benign and consequential anomalies. Analysts can then tune alerts to watch for specific threats or ignore known sources of noise.
Extending monitoring and detection into the OT space makes it harder for attackers to hide—even when unique, zero-day attacks are deployed. In addition to examining traditional signals like signature-based detection or network traffic spikes, analysts can now observe the effects that new inputs have on real-world equipment. Cleverly disguised malware would still raise red flags by creating operational anomalies. In practice, analysts using the AI-based systems have found that their Eos.ii detection engine was sensitive enough to predictively identify maintenance needs—for example, when a bearing begins to wear out and the ratio of steam in to power out begins to drift.
Done right, monitoring and detection that spans both IT and OT should leave intruders exposed. Analysts investigating alerts can trace user histories to determine the source of anomalies, and then roll forward to see what else was changed in a similar timeframe or by the same user. For energy companies, increased precision translates to dramatically reduced risk – if they can determine the scope of an intrusion, and identify which specific systems were compromised, they gain options for surgical responses that fix the problem with minimal collateral damage—say, shutting down a single branch office and two pumping stations instead of a whole pipeline.
As energy systems continue their trend toward hyperconnectivity and pervasive digital controls, one thing is clear: a given company’s ability to provide reliable service will depend more and more on their ability to create and sustain strong, precise cyber defenses. AI-based monitoring and detection offers a promising start.
To learn more about Siemens Energy’s new AI-based monitoring and detection platform, check out their recent white paper on Eos.ii.
Learn more about Siemens Energy cybersecurity at Siemens Energy Cybersecurity.
This content was produced by Siemens Energy. It was not written by MIT Technology Review’s editorial staff.
Investing in women pays off
“Starting a business is a privilege,” says Burton O’Toole, who worked at various startups before launching and later selling AdMass, her own marketing technology company. The company gave her access to the HearstLab program in 2016, but she soon discovered that she preferred the investment aspect and became a vice president at HearstLab a year later. “To empower some of the smartest women to do what they love is great,” she says. But in addition to rooting for women, Burton O’Toole loves the work because it’s a great market opportunity.
“Research shows female-led teams see two and a half times higher returns compared to male-led teams,” she says, adding that women and people of color tend to build more diverse teams and therefore benefit from varied viewpoints and perspectives. She also explains that companies with women on their founding teams are likely to get acquired or go public sooner. “Despite results like this, just 2.3% of venture capital funding goes to teams founded by women. It’s still amazing to me that more investors aren’t taking this data more seriously,” she says.
Burton O’Toole—who earned a BS from Duke in 2007 before getting an MS and PhD from MIT, all in mechanical engineering—has been a “data nerd” since she can remember. In high school she wanted to become an actuary. “Ten years ago, I never could have imagined this work; I like the idea of doing something in 10 more years I couldn’t imagine now,” she says.
When starting a business, Burton O’Toole says, “women tend to want all their ducks in a row before they act. They say, ‘I’ll do it when I get this promotion, have enough money, finish this project.’ But there’s only one good way. Make the jump.”
Preparing for disasters, before it’s too late
All too often, the work of developing global disaster and climate resiliency happens when disaster—such as a hurricane, earthquake, or tsunami—has already ravaged entire cities and torn communities apart. But Elizabeth Petheo, MBA ’14, says that recently her work has been focused on preparedness.
It’s hard to get attention for preparedness efforts, explains Petheo, a principal at Miyamoto International, an engineering and disaster risk reduction consulting firm. “You can always get a lot of attention when there’s a disaster event, but at that point it’s too late,” she adds.
Petheo leads the firm’s projects and partnerships in the Asia-Pacific region and advises globally on international development and humanitarian assistance. She also works on preparedness in the Asia-Pacific region with the United States Agency for International Development.
“We’re doing programming on the engagement of the private sector in disaster risk management in Indonesia, which is a very disaster-prone country,” she says. “Smaller and medium-sized businesses are important contributors to job creation and economic development. When they go down, the impact on lives, livelihoods, and the community’s ability to respond and recover effectively is extreme. We work to strengthen their own understanding of their risk and that of their surrounding community, lead them through an action-planning process to build resilience, and link that with larger policy initiatives at the national level.”
Petheo came to MIT with international leadership experience, having managed high-profile global development and risk mitigation initiatives at the World Bank in Washington, DC, as well as with US government agencies and international organizations leading major global humanitarian responses and teams in Sri Lanka and Haiti. But she says her time at Sloan helped her become prepared for this next phase in her career. “Sloan was the experience that put all the pieces together,” she says.
Petheo has maintained strong connections with MIT. In 2018, she received the Margaret L.A. MacVicar ’65, ScD ’67, Award in recognition of her role starting and leading the MIT Sloan Club in Washington, DC, and her work as an inaugural member of the Graduate Alumni Council (GAC). She is also a member of the Friends of the MIT Priscilla King Gray Public Service Center.
“I believe deeply in the power and impact of the Institute’s work and people,” she says. “The moment I graduated, my thought process was, ‘How can I give back, and how can I continue to strengthen the experience of those who will come after me?’”
The Download: a curb on climate action, and post-Roe period tracking
Why’s it so controversial?: Geoengineering was long a taboo topic among scientists, and some argue it should remain one. There are questions about its potential environmental side effects, and concerns that the impacts will be felt unevenly across the globe. Some feel it’s too dangerous to ever try or even to investigate, arguing that just talking about the possibility could weaken the need to address the underlying causes of climate change.
But it’s going ahead?: Despite the concerns, as the threat of climate change grows and major nations fail to make rapid progress on emissions, growing numbers of experts are seriously exploring the potential effects of these approaches. Read the full story.
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 The belief that AI is alive refuses to die
People want to believe the models are sentient, even when their creators deny it. (Reuters)
+ It’s unsurprising wild religious beliefs find a home in Silicon Valley. (Vox)
+ AI systems are being trained twice as quickly as they were just last year. (Spectrum IEEE)
2 The FBI added the missing cryptoqueen to its most-wanted list
It’s offering a $100,000 reward for information leading to Ruja Ignatova, whose crypto scheme defrauded victims out of more than $4 billion. (BBC)
+ A new documentary on the crypto Ponzi scheme is in the works. (Variety)
3 Social media platforms turn a blind eye to dodgy telehealth ads
Which has played a part in the prescription drugs abuse boom. (Protocol)
+ The doctor will Zoom you now. (MIT Technology Review)
4 We’re addicted to China’s lithium batteries
Which isn’t great news for other countries building electric cars. (Wired $)
+ This battery uses a new anode that lasts 20 times longer than lithium. (Spectrum IEEE)
+ Quantum batteries could, in theory, allow us to drive a million miles between charges. (The Next Web)
5 Far-right extremists are communicating over radio to avoid detection
Making it harder to monitor them and their violent activities. (Slate $)
+ Many of the rioters who stormed the Capitol were carrying radio equipment. (The Guardian)
6 Bro culture has no place in space 🚀
So says NASA’s former deputy administrator, who’s sick and tired of misogyny in the sector. (CNN)
7 A US crypto exchange is gaining traction in Venezuela
It’s helping its growing community battle hyperinflation, but isn’t as decentralized as they believe it to be. (Rest of World)
+ The vast majority of NFT players won’t be around in a decade. (Vox)
+ Exchange Coinbase is working with ICE to track and identify crypto users. (The Intercept)
+ If RadioShack’s edgy tweets shock you, don’t forget it’s a crypto firm now. (NY Mag)
8 It’s time we learned to love our swamps
Draining them prevents them from absorbing CO2 and filtering out our waste. (New Yorker $)
+ The architect making friends with flooding. (MIT Technology Review)
9 Robots love drawing too 🖍️
Though I’ll bet they don’t get as frustrated as we do when they mess up. (Input)
10 The risky world of teenage brains
Making potentially dangerous decisions is an important part of adolescence, and our brains reflect that. (Knowable Magazine)
Quote of the day
“They shamelessly celebrate an all-inclusive pool party while we can’t even pay our rent!”