Turkish technology company Biznet is eager to increase local cybersecurity development and offer consultancy services tailored to Turkey’s needs, Biznet Informatics Deputy General Manager Hakan Terzioglu told Anadolu Agency on Monday.
Through the development of Turkey’s homegrown cybersecurity, the cost to the country would be cut down three-fold compared to services offered through foreign companies, Terzioglu said.
Biznet has exceeded $400,000 for cybersecurity investments, and over the last three years alone has invested over $100,000 for experts in the area of energy infrastructure security.
Biznet's local employee rate is 94% overall and for cybersecurity in the field of Industrial Control Systems' (ICS) the company employs all local staff for its services, Terzioglu said.
Turkey is just progressing in developing security systems for Operational Technology (OT) and ICS, while Biznet is closely watching the global developments in these areas.
Terzioglu stressed the importance of implementing regulations for cybersecurity and cited the U.S. as an example to watch, as it rewards institutions that invest in this area through incentives.
"The state needs to encourage enterprises to invest in cybersecurity,” he said.
From Turkey's Energy Market Regulatory Authority (EMRA) study it conducted two years ago, it published the ICS Information Security Regulation, which was then revised early 2019 and another revision is planned next year.
To counter cyber attacks, Terzioglu advised that energy and tech companies, academics, state and private sector players create a platform for companies to conduct drills, similar in form to conventional military drills that the U.S. and Europe have held to detect weakness and form defense strategies.
As Turkey is a candidate country in becoming an energy corridor thanks to its geopolitical position, Terzioglu argued that a safe infrastructure is necessary to protect the potential vast trade volume. If however the country is not properly prepared, he said the country’s reputation as a secure environment for business would suffer on the international arena.
He recalled the malicious software attack in 2017 that was carried out on Saudi Aramco when 30,000 computers were blocked in the company’s facilities. He explained that as Saudi Aramco was the target of many attacks because of its global prominence, these attacks made the headlines worldwide and damaged the company’s reputation.
- Cybersecurity threats are real
Patrick Miller, the founder of the non-profit Corporation EnergySec, which provides a threat intelligence platform for members, declared that energy infrastructure security is the most crucial of all, as without it all other measures would fail very quickly.
Miller explained that within the energy sector, the numerous upstream and downstream phases including drilling, transportation and refining need different types of cybersecurity systems.
He argued that the security systems in place now were designed in isolation but the current environment needs a more integrated approach.
He explained that currently the tendency is for infrastructure systems to be inter-connected to obtain data and understand their parameters, but this means that they become more vulnerable because any connection between them is susceptible to hackers.
"It is a good thing because it makes it operate better, but at the same time it carries a potential risk," he noted.
The better-secured systems are designed in a way to deal with cyber-attacks without the need to stop operations, Miller said.
He also echoed the importance of regulations and referenced the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards that have been in force since July 1, 2008.
NERC states that these CIP standards provide a comprehensive set of requirements to protect North America’s Bulk-Power System from malicious cyber attacks.
NERC developed its set of CIP standards to require utilities to establish a baseline set of security measures. Violations can result in financial penalties of over $1 million per day per violation, he explained, but cautioned that regulations can only go so far.
"Regulations help but for only for so long. I wrote the regulation in the U.S. and it is a topic that I know well. For example, before the regulation some companies did a good job regarding cybersecurity and some did not. However, even some companies that did a good job beforehand reduced their security measures after the regulation came into force since their executives did not want to spend extra money. Thus, it became the floor instead of the ceiling," he said.
Subsequently, organizations that went beyond what the regulation dictated were rewarded through various incentives and this incentive model helped solve the problem, he said.
He affirmed that cybersecurity threats are very real and should be taken seriously. He said the attack on Ukraine's electricity grid in 2015, which caused multiple blackouts leaving 230,000 Ukrainians without electricity for hours, is an example of a threat that could have been stopped if such a regulation was implemented in Ukraine.
By Gokce Kucuk and Talha Yavuz
Edited by Anne Akti