Based on our survey of over 900 ICS security leaders in the United States, Germany, and Japan, we dig deeper into each industry's challenges and present Trend Micro's recommendations.
Trend Micro conducted a study on the state of industrial cybersecurity in the oil and gas, manufacturing, and electricity/energy industries in 2022. Based on the results of a survey of over 900 ICS business and security leaders in the United States, Germany, and Japan, we will discuss the characteristics of each industry, the motivations and environmental factors that will drive future cybersecurity improvements. We will also introduce Trend Micro's proposals based on the industry's current state, focusing on manufacturing & production.
The environment surrounding the electric power industry has changed significantly over the past 10 years, and especially since the adoption of the SDGs to aim for sustainable energy, there is a pressing need to review the supply chain and entire system of the energy industry on a national scale.
A stable supply of electricity supports many industries and lifestyles, including manufacturing, restaurants, transportation such as trains, and households. The impact of power supply instability and outages is more widespread than in other industries.
Due to the nature of electricity, it is not possible to store large amounts of electricity cheaply, so it is essential to match supply and demand (production). To adjust supply according to demand, we have introduced mechanisms such as DR (Demand Response) and VPP (Virtual Power Plant) and are actively utilizing ICT.
In addition, the modernization of power generation, transmission, and distribution systems (digitization, network connection, use of general-purpose software and IT, etc.) is progressing, and at the same time, cyber risks are increasing.
In the United States, ahead of other industries, the Cyber Security Capability Maturity Model (ES-C2M2) was published in 2014 and has been used as a self-assessment procedure. In addition, NERC has decided on a new standard (CIP-012-1) for the protection of communications between large-scale power system control centers, and as a result, guidelines for security measures such as new supply chain risk measures have been introduced.
In addition, in Europe, where electricity is supplied between EU member states, the increase in security threats is not a risk for a single country, but energy and other critical infrastructure operators are required to take security measures (NIS Directive). Security measures are being implemented one after another.