The implications of a cyberattack on our energy networks are huge, with financial losses and major disruption both highly likely outcomes. It means it’s absolutely crucial that these critical networks are robustly protected. Experts from Skybox Security and Sophos give two regional insights into some of the key cyberthreats to the energy sector and offer advice on how these can be mitigated.
Understanding the risks
Marina Kidron, Director of Threat Intelligence, Skybox Security, outlines six cyber-risks to the energy sector and offers insight as to how these can be countered by defence strategies.
A paper published earlier this year by the UK Infrastructure Transitions Research Consortium (ITRC) calculated that cyberattacks on electricity networks could cost the UK £111m over 24 hours. Add the financial losses to the disruption to everyday life and it’s clear that a lot is at stake. The burden of responsibility to keep the country’s energy supply uninterrupted is a heavy one – energy firms need to understand the main cybersecurity risks that they’re facing and have firm strategies in place to help prevent a costly attack.
Risk one: Challenging OT governance
As companies embrace digitalisation, it is increasingly difficult to keep a handle of hybrid IT-OT network visibility. What’s more, it’s really hard for OT engineers to apply patches. Every upgrade requires them to restart devices – asking them to install a patch also means asking them to shut down some machinery. With energy supplies already stretched, any disruption causes a real challenge.
The first thing that energy firms can do to help secure their critical infrastructure is to understand vulnerability exposure within their networks – once they have this knowledge, they can develop targeted remediation strategies. Identify which vulnerabilities are the most exposed and determine how to patch them first.
Risk two: Problems with patching
Patching is near-on impossible with OT. Compounded by outdated technology, legacy OT devices often cannot be scanned and are traditionally run on unpatchable software. There are ways to overcome this problem. In some instances, security teams should be able to apply an IPS signature instead of a patch – this will lock the exploit pack that can take advantage of the vulnerability. This tactic is extremely valuable for energy companies when it comes to securing their OT devices and networks.
Risk three: Nation-state actors
OT is an attractive target for nation-state threat actors. The motivation to target the energy sector is far greater than in other industries. Attacks can be deployed at a nation-state level to cripple a critical organisation, or ransomware could be used to demand a high pay-out. In the first half of 2019 alone, there were nearly 50 new advisories from ICS-CERT and a spate of new attacks, with LockerGoga stealing the headlines.
Risk four: Third-party fragmentation
There is significantly more third-party involvement in energy firms than in other companies, which leads to their networks becoming more distributed and fragmented. The fact that they have more ingress points than other verticals means that there’s a far wider attack surface for security teams to identify and to protect.
Risk five: Different devices for different types of providers
There are different types of energy provider – electric, gas, nuclear, etc – each with a specific mix of specialist devices. Therefore, it’s difficult to create a directive which would have relevance to the entire industry. The level of expert knowledge required within the energy sector’s security and engineering teams is high, making it difficult to achieve cross-departmental knowledge-sharing and collaboration.
Risk six: Siloed teams
IT security and OT engineering teams work in two different worlds. Their objectives are misaligned, their skill-sets are not transferable and neither understands how to protect the other.
To overcome this risk, organisations within the energy market need to unify management of their hybrid IT-OT networks. They can achieve this by eliminating silos between teams, gaining full network visibility and understand how both IT and OT impact each other as well as the risks that each introduces.
In terms of protecting their OT devices, these companies shouldn’t just look at the software that runs the OT devices, but the management software used by the HMI (human-machine interface) as well. This software often remains unpatched and will likely run outdated versions of Windows.
If these companies don’t act soon, they are not only putting themselves at risk financially but are also endangering the wider economy and safety of the UK citizens. The time to act is now.
The threat landscape and mitigating risks
Harish Chib, Vice President, Middle East and Africa, talks us through the two major attack vectors and has some advice for businesses looking to prevent attacks.
The threat landscape continues to change on a daily basis – volumes are predicted to rise by every vendor and commentator out there. This has affected all sectors and the energy sector is no exception. Whoever has valuable data is at risk.
Threats today have two major vectors for attack – and they are often used together:
- User-focused malware
- Social engineering is the primary method used to trick users into opening an email, clicking an attachment or visiting a URL
- Malware on removable media such as USBs
- Vulnerability exploits
- Cybercriminals look for weaknesses in software to send threats into the network
- Unfortunately, vulnerabilities in software are not going away and companies still struggle to keep up with patching
The biggest cybersecurity threat facing businesses right now is the deluge of attacks and associated incident alert data, regardless of the source of the attack. Right now, we see ransomware and phishing as two significant attack vectors and we have seen an increase in attacks on Android platforms as a new way of entering corporate networks.
The hard truth is that there are data security breaches every single day, globally. This is not just an issue for organisations in the energy sector. Malware and other threats that spread across networks are equally fatal for all the sectors.
These attacks do however highlight the growing concern over cybersecurity, the impact of breaches and why cybersecurity needs to be a top priority for every organisation, whatever their size and sector.
It is important to get the basics right. Even the most well-resourced companies are still falling victim to attacks that use phishing and social engineering techniques to dupe employees.
Companies need to re-think the traditional approach of ‘layered security’ and think more about ‘synchronised security’. With the latest Deep Learning technologies, new cybersecurity solutions can now take action faster than an IT Manager predicting issues and stopping threats before they can enter an organisation’s network.
Here are some things we’ve learned over the years, working with thousands of other organisations of every size:
First, encrypt the data. Many IT organisations have steered clear of encryption thinking that it impacts performance or that it’s simply too complicated to effectively implement. This is no longer the case. Enterprises should be encrypting their most critical data far more often than they do.
Ensure that any contractors, outsourcers or third-party partners take cybersecurity as seriously as you do. After all, it’s your data that your customers have entrusted you with and it’s your responsibility to secure it
Take a user-centric view to your security. Too often, IT departments focus on devices and fail to see the connection between a user, their data and all the devices (including mobile devices) that they use on a daily basis.
Simplify. Complexity is the enemy of security. Too often complicated tools aren’t configured correctly, aren’t communicating with other tools or aren’t even deployed at all because despite all their power they are simply too complicated for mere mortals to use effectively.
Train your users. They are often the weakest link in a cybersecurity strategy. Too often users wilfully hand over their credentials and engage in risky cyber behaviour that can put the company at risk