Every day, we rely on the energy and utilities industry. The traffic lights that guide us on our daily commutes, the air that conditions our homes and office spaces, and the cell phones and computers we use to communicate are a constant of every day modern life, and one we often take for granted, that is until the energy resources needed to power them fail.
While certainly inconvenient, we can generally depend on things to return to normal in a matter of hours and get back to business as usual. But with cyber-attacks targeting the energy sector a growing global threat, that typical outcome may not be one on which we can rely.
The energy industry in the United States is critical to our nation’s infrastructure and industrial success. But it is also a prime target for cyber-attacks from nation states, terrorists, and criminals looking to leverage the sector for their own political or economic aims. These attacks are fueled by the high value of energy industry assets and data, as well as the sector’s heavily automated and loosely protected processes, networks, and organizations. Coupled with low investments in digital risk management, at least as compared to sectors like financial services, this leaves energy facilities and suppliers vulnerable to damaging and costly attacks.
Once a rarity, attacks targeting energy sector firms now happen with growing frequency. In 2017, a Russian APT group known as DragonFly 2.0 compromised US and European energy companies and gained access to interfaces its engineers used to supply energy to homes and businesses. The same year, a virus was introduced remotely on controllers used in 18,000 power plants globally to regulate voltage, pressure, and temperatures in nuclear and water treatment facilities, almost triggering an explosion in Saudi Arabia. And nearly two years after malware jeopardized operations in the midst of hurricane recovery, which was then quickly followed by a ransomware attack, a North Carolina utility provider is still recovering. More recently, a DDoS attack for more than 10 hours crippled the network of a company supplying power to consumers in California, Utah, and Wyoming.
Although attacks in this sector mirror those in other industries, the stakes are significantly higher. Multiple hacking groups currently have the capability to attack and compromise industrial control system environments. Phishing, malware and other attacks, if successful, can give hackers the credentials necessary to access power grids, oil wells, generators, and other sensitive control areas. Utility organizations in the US spend approximately 80 percent of budget on external suppliers, making third party attacks another major concern.
See a video: Power Engineering’s Rod Walton talks with Tom McDonnell, of Rockwell Automation, about power plant security during POWERGEN International 2019 in New Orleans.
Cyber threat actors will continue to penetrate critical infrastructure in the US. While this is partially due to the natural expansion of the Internet and IoT devices, it can also be attributed to a lack of robust security practices and employee training. However, a few simple steps can help these organizations avoid being implicated in breaches and outages.
Understanding which attack vectors most commonly affect energy utilities is the first step in helping to defend against them. The energy sector is known to be slow at updating infrastructure and process software, making it a prime target for DDoS and exploit attacks. Implementing good cyber hygiene by updating operating systems and applying patches immediately is integral to proactively safeguarding against compromise. Constantly monitoring for risk via open source threat intelligence can help organizations learn more about attack patterns and threat actors, which industries or companies are being targeted and whether criminals are in the planning stages of an attack before an incident occurs.
Effective cybersecurity awareness training is another essential action that organizations can take to keep corporate users safe on the network. Teach employees to identify phishing, ransomware, social engineering, and other threats to keep information and accounts secure and mitigate the risk of a breach. For instance, attackers collect email addresses and strategically craft phishing emails that contain malicious links. Train employees to avoid clicking on unsolicited links and pop ups — especially on social media or from unknown sources — and to proactively report security suspected incidents. Additionally, restrict employees’ access to only the data and systems those individuals need to do their jobs. This limits the attack surface and can reduce damage and incident remediation costs should a breach occur.
Also important is reducing third-party risk by understanding vendors’ security posture. Evaluate suppliers and vendors before engaging them as part of the contract and throughout the relationship. Ask questions to identify their potential exposure areas, technical controls to data and systems, network segmentation practices and authentication tools used. After determining cybersecurity practices and enforcement capabilities a baseline can then be set for continuous partner monitoring, protecting sensitive data from unauthorized access that might result from gaps in extended parties’ and partners’ security infrastructure or from networks.
Like organizations everywhere, the energy sector is beset on all sides by a catalog of ever-evolving cyber threats and threat actors trying to gain access to their networks, each with the potential to expose ultra-sensitive data or bring critical infrastructure to a halt. While there’s no way to guarantee 100 percent safety from malicious threats or compromise, a strategic and holistic security approach is the only way to safeguard against them. By keeping informed of the latest security threats and maintaining visibility into their own and third parties’ infosecurity infrastructure along with maintaining a proactive cyber defense and a strong culture of cybersecurity awareness, organizations in the energy industry can prevent an attack from becoming a crisis.
About the author: Vinnie Savino is a Customer Success Manager with LookingGlass Cyber Solutions.