Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Taking Aim at the Energy Sector: Three Steps to Defend Against a Rising Number of Attacks

Cyber Attacks Against Energy Sector

Cyber Attacks Against Energy Sector

When Thomas Edison said, “We will make electricity so cheap that only the rich will burn candles,” you wonder if he envisioned how essential it would become to daily life. Energy is so important that it is considered part of our critical infrastructure. And that’s what makes it an attractive target for cybercriminals.

The number of attacks on the energy sector is on the rise and far exceeds other critical infrastructure sectors as reported by the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The report indicates that 54% of all attacks investigated in the eight months ending in May 2013 were targeting energy companies – an increase from 41% during the preceding 12 months. Other sectors considered critical infrastructure and included in the report are critical manufacturing, the next closest at 17%, communications, transportation, water, nuclear, and government facilities among others.

The control networks energy companies rely on to operate and automate processes are complex and ever-expanding. Moving from serial to routable protocols simplifies connectivity but also exposes the network to greater risk because attackers don’t need to physically connect to the target to gain entry. The Internet of Things will further expand connectivity to a proliferation of devices, creating additional opportunities for attackers to seize on new vulnerabilities and gaps in cybersecurity to gain access.

The recent passing of NERC CIP version 5 demonstrates that the industry recognizes the rising risk to these networks and is seeking ways to mitigate and manage it. With widespread, serious ramifications of a breach and fines of up to $1 million per day per violation, energy companies are taking action. However, it is important to note that in this new reality of sophisticated and targeted attacks, while lack of compliance compromises protection, being compliant doesn’t equate to being safe.

The DHS report found that the majority of incidents targeting the energy sector involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. Two of these methods rely on the human element to introduce malware and, as demonstrated by Stuxnet, air gaps are also being crossed due to human missteps. Clearly, perimeter-based defenses and techniques are being evaded. Once inside the network, attackers are free to act as they please. Companies need to identify new ways to deal with these advanced cyber attacks that take advantage of a greater attack surface, unsuspecting users, and increasing complexity with the network.

Utility Firm Control CenterTo further complicate the problem, information technology (IT) security solutions in use on the corporate network can’t be deployed interchangeably to protect the control network. The two management teams have different priorities. IT is typically focused on data protection while the control network operations technology (OT) team must put availability and reliability first; cybersecurity controls are important but not at the expense of availability and reliability. When control networks fail, there are very real risks posed to human life, environmental safety and the economy.

So what types of capabilities should energy companies look for to better defend against advanced attacks to control networks? It isn’t a matter of simply spending more, as many organizations have already allocated significant resources to cybersecurity and are still getting attacked. It’s a matter of shifting the mindset from “if” to “when” an attack will happen. Policies and controls are essential to reduce the surface area of attack, but threats still get through. As a result, technologies must also be able to detect, understand, and stop threats that have penetrated the network. This requires a new approach to cybersecurity that doesn’t rely exclusively on air gaps or point-in-time detection tools but addresses the full attack continuum – before, during, and after an attack.

Energy companies should seek out solutions with the following capabilities to help address each step across the attack continuum while satisfying their unique requirements.

Step 1: Before an Attack – To defend before an attack occurs, energy companies need a total inventory of the network and all its cyber assets – for example, applications, protocols, users, and devices, such as remote terminal units and programmable logic controllers. To eliminate the risk of disruption, the system must be able to passively profile control networks without being inline. Only by knowing everything that is on the control network can OT and IT security teams implement policies and controls to defend it.

Advertisement. Scroll to continue reading.

Step 2: During an Attack – NERC CIP standards take a risk-based approach to security – risk assessment and management is the focus. Most energy companies don’t have a team of people they can deploy to follow-up on every potential event, manually assess the risk, and act accordingly. As a result, they can spend hours analyzing events that pose little to no risk in their specific environment. Technologies that notify of events with the right context, for example providing impact flags that distinguish between active attacks, suspicious activity, and background noise, will help prioritize efforts and assign resources to the threats that matter most.

Step 3. After an Attack – Invariably, attacks will be successful. Energy companies need to be able to mitigate the damage but also learn from the attack. Technologies like retrospective security help marginalize the impact of an attack by identifying point of entry, determining the scope, containing the threat, remediating and updating protections against future similar attacks. With this process and tools in place, energy companies can more easily generate reports to demonstrate NERC CIP compliance and pass audits.

The trajectory of attacks on the energy industry is eye-opening and likely to continue. NERC CIP standards provide a baseline from which to start. However, to truly address new and unique cybersecurity challenges, energy companies need to expand their approach with technologies that maintain availability and reliability while increasing protection along the full attack continuum.

 

Related: Cyber Attacks Targeted Key Components of Natural Gas Pipeline Systems 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.