Turkish technology company Biznet Informatics is eager to contribute to the local development of cybersecurity measures and offers consultancy services tailored for Turkey’s needs, company Deputy General Manager Hakan Terzioğlu said.

Development of homegrown cybersecurity measures can cut cost by three-fold compared to services offered through foreign companies, Terzioğlu told Anadolu Agency (AA) on Monday.

Biznet has exceeded $400,000 in cybersecurity investments. It has invested over $100,000 in energy infrastructure security over the last three years alone.

More than 94% of Biznet's employees are local and for cybersecurity reasons it employs fully local staff in the field of Industrial Control Systems (ICS), Terzioğlu said.

Turkey is slowly picking up the pace in developing security systems for Operational Technology (OT) and ICS, while Biznet is closely watching the global developments in these areas.

Terzioğlu stressed the importance of implementing cybersecurity regulations and cited the U.S. as an example, as it encourages investments in this area through incentives.

"The state needs to encourage enterprises to invest in cybersecurity," he said.

From Turkey's Energy Market Regulatory Authority (EMRA) study, which Biznet conducted two years ago, it published the ICS Information Security Regulation. It was then revised in early 2019 and another revision is planned next year.

To counter cyberattacks, Terzioğlu advised energy and tech companies, academics, state and private sector players to create a platform for companies to conduct drills, similar in form to conventional military drills that the U.S. and Europe have held to detect weaknesses and form defense strategies.

Pointing to Turkey's ambitions of becoming an energy corridor using its key geopolitical position, Terzioğlu argued that a safe infrastructure is necessary to protect the potential vast trade volume. If the country is not ready its reputation as a secure environment for business would suffer in the international arena.

He recalled the malicious software attack on Saudi Aramco in 2017 when 30,000 computers were blocked in the company’s facilities. He said Saudi Aramco was the target of many attacks because of its global prominence but these attacks made the headlines and damaged the company’s reputation.

CYBERSECURITY THREATS ARE REAL

Patrick Miller, the founder of the nonprofit threat intelligence platform EnergySec, said energy infrastructure security is the most crucial of all, as without it all other measures would fail very quickly.

Miller explained that within the energy sector, the numerous upstream and downstream phases, including drilling, transportation and refining, need different types of cybersecurity systems.

He argued that the security systems in place now were designed in isolation but the current environment needs a more integrated approach.

He explained that the current tendency is for infrastructure systems to be interconnected to obtain data and understand their parameters, but this means that they become more vulnerable because any connection between them is susceptible to hackers.

"It is a good thing because it makes operations better, but at the same time it carries a potential risk," he noted.

The more secured systems are designed in a way to deal with cyberattacks without the need to stop operations, Miller said.

He also echoed the importance of regulations and referenced to the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) standards that have been in force since July 1, 2008.

NERC says these CIP standards provide a comprehensive set of requirements to protect North America’s Bulk-Power System from malicious cyberattacks.

NERC developed its set of CIP standards to require utilities to establish a baseline set of security measures. Violations can result in financial penalties of over $1 million per day per violation, he explained, but cautioned that regulations can only go so far.

"Regulations help but for only for so long. I wrote the regulation in the U.S. and it is a topic that I know well. For example, before the regulation, some companies did a good job regarding cybersecurity and some did not. However, even some companies that did a good job beforehand reduced their security measures after the regulation came into force since their executives did not want to spend extra money. Thus, it became the floor instead of the ceiling," he said.

Subsequently, organizations that went beyond what the regulation dictated were rewarded through various incentives and this incentive model helped solve a lot of problems, he said.

He added that cybersecurity threats are very real and should be taken seriously. He said the attack on Ukraine's electricity grid in 2015, which caused multiple blackouts leaving 230,000 Ukrainians without electricity for hours, is an example of a threat that could have been avoided if such a regulation was implemented in Ukraine.