Cybersecurity in the Energy Sector: Risks and Mitigation Strategies

Image

The demand for cybersecurity in the energy sector is often understated. There is a misconception that very little IT is involved, and much of it does not impact operations. But 97% of surveyed ICS security professionals in the energy, oil, and gas sector believe cybersecurity is a growing concern.

No industry has been untouched by digital transformation. With the Industrial Internet of Things (IoT), and Artificial Intelligence (AI) powering more sophisticated forms of automation, the use of cyber-physical systems will only grow.

Even if you don’t feel that cybersecurity posture is a pressing concern right now, it may be in the future. Every company will have to modernize eventually. However, you must understand the implications digital transformation can have on cyber and Industrial Control System (ICS) security. 

The Challenges of Managing Cybersecurity in the Energy Sector

The technological infrastructure of most companies in the manufacturing and supply industry (including energy utilities) can be separated into two categories:

• Plant IT Systems
• ICS

Plant IT systems refers to business systems and data, while ICS is more applicable with operations and production. The cybersecurity demands are different for both. 

Plant IT cybersecurity involves establishing measures to protect data. The focus of ICS cybersecurity is on ensuring that there is no downtime or loss of production. Many believe the former is far more important than the latter; however, they’re both very important parts of the energy sector.

Cybercriminals usually have a different approach to how they attack each system, although there are some commonalities. For instance, a cybercriminal may use ransomware to seal or steal data from its owners to blackmail them before restoring access. Similarly, a cybercriminal may use a Distributed Denial Of Service (DDOS) attack to halt ICS operations and only restore them when a fee is paid or a condition is met. 

Ultimately, the objectives behind the attacks are the same, but the approaches are different. 

Classes of Cyberattacks in the Energy Sector

The impact of cyberattacks launched on ICS and plant IT can be classified into three categories:

• Loss of view: Where a system continues to function, but you can no longer see what it’s doing.
• Loss of control: Where a system is hijacked and no longer responds to your instructions or commands.
• Loss of safety: Where a system can become so unstable that its potential to harm or kill increases.

Loss of safety is the worst situation for an energy utility to find itself in. The 2017 Triton attack was one of the first cases where malware was sent to try to cause harm or loss of life. 

Cases such as these can sully people’s attitudes toward cyber-physical technology, even if that technology is designed to be more energy-efficient. For instance, over a third of Americans, as well as over 70% of Canadians, are considering an electric car for their next auto purchase because of a desire to drive energy-efficient vehicles that are better for the environment. Yet, many of those same people are still wary of the idea of self-driving cars. After all, if something were to go wrong, the results would be catastrophic, and the driver may not be able to regain control of the vehicle. 

But which threats and risks should the energy sector be most concerned with? After all, it’s no longer just about a loss of money, but a loss of lives too. 

Cybersecurity Risks in the Energy Sector

The energy sector is crucial to the economy and the well-being of society. A cyber breach of an energy utility could result in blackouts and a loss of trust from utility customers. These end-users may seek alternative sources for their energy needs, and many already are due to financial incentives provided by the government. 

Specifically, the government has already introduced programs designed to support individuals and organizations who turn to alternative energy sources such as solar power. The solar energy Investment Tax Credit (ITC), for example, is one of the biggest Federal policies designed to help incentivize the deployment of energy-efficient solar-based systems in the United States. The ITC offers up to a 30% credit to individuals and businesses who purchase and install qualifying solar-based products in their homes or buildings. 

Financial incentives such as the ITC, along with the rising cybersecurity threats in the energy sector mean we could see more end users who are jaded by energy utilities embrace alternative energy sources such as solar power. To help regain customer trust, energy utilities and power companies must address the following risks:

Multi-Stage Attacks

As mentioned, manufacturing and industrial organizations commonly have two major technological systems. This leaves them even more vulnerable to multi-staged attacks. A multi-stage attack describes a methodical intrusion strategy that often consists of multiple cyberattacks.

For instance, the first stage could be a phishing attack to extract employee credentials or information. Then it can be followed by a ransomware or DDoS attack. One of the most famous examples of this is the Colonial Pipeline breach in 2021. 

Multi-stage cyberattacks can leave the entire technological infrastructure (both ICS and IT) at the mercy of bad actors. 

ICS Malware Attacks

Ultimately, ICS are computer systems that often have the same vulnerabilities as regular computer systems. Many plants still use decades-old ICS and Operational Technology (OT) systems that run on outdated software and hardware. 

These systems do have one advantage. They may not be connected to a larger network or the internet. Thus, they may only be vulnerable to cyberattacks with a physical component, such as inserting a disk or USB drive. 

As more companies within the energy industry begin to embrace cyber-physical systems, they may not have this protection anymore. With ICS and OT, malware specifically designed to penetrate these systems becomes a tangible concern. These systems become part of the other usual computer systems, and are subject to the same threats, such as worms, Trojans, and wipers.

Stuxnet is an example of powerful malware that was specially written to shut down operational technology. As the line between ICS/OT systems diminishes, organizations can no longer rely on the air gaps that are used to separate them. Cybercriminals can now access ICS from Plant IT, and vice versa.

Inherently Insecure Components 

Most OT and ICS weren’t created with cybersecurity in mind, particularly older technology, and equipment. The end goal of those tasked with implementing ICS systems is to make them work as efficiently as possible. 

Often, cybersecurity can stagnate or interfere with that goal, leaving many components vulnerable to cyberattacks. As organizations introduce digital transformation, these components will be integrated into the new system, instead of completely replaced.      

The Insider Threat

Many ICS and OT operators, users, and administrators may not be fully aware of the cyber risks attached to these systems. It isn’t just the ICS department that organizations should be worried about, too. 

Those working on the IT side can introduce unnecessary vulnerabilities by failing to be cybergenic. This includes reusing passwords, not logging off or locking computers, and misconfiguring settings. Organizations within the energy sector have more risk of insider threats because they have multiple technological divisions to worry about.

ICS Components With Poor or No Vendor Support

Data centers and other IT systems receive frequent patches and updates. This was never the case for their ICS/OT counterparts. These components can run uninterrupted for years without their software or firmware ever being updated.

Many of these systems and components are no longer supported by their respective vendors. In some instances, the vendors don’t even exist anymore. The dire problem with that is, if something goes wrong, there is no one to get support from or help patch system vulnerabilities.  

Cyber Attack Mitigation Strategies

Companies in the energy sector now have to worry about cybersecurity. Fortunately, there are a few ways to plug any holes in their security.  

Performing OT and ICS Assessments

Taking inventory and stock of the condition of your systems is the first step in securing them, as it will help you determine the current posture of your cybersecurity. This is especially important for those utilities that have aging equipment and operational technology in the environment. OT and ICS assessments can help to identify the risks of running such systems and determine what impact integrating IT with ICS/OT will have. These are cyber-physical solutions.

Addressing the Insider Threat

What made the multi-staged cyberattack on the Colonial Pipeline successful was preventable. For instance, many people reuse the same passwords for multiple accounts. All a bad actor needs to do to gain access is discover a single password of an employee with a high company access level. Companies can prevent this by implementing granular access controls and building a culture of cybersecurity in the workplace.

Develop a Detection and Analysis Process

Companies in the energy sector must have robust cyberattack detection and analysis processes in place. This must include ICS-focused monitoring that detects any abnormalities, including errors, slight malfunctions, or, most importantly, cyber intrusions.  

Creating Incident Response Plans

This has a slight tie-in to the previous strategies. When a breach occurs, an organization must know how to contain it to mitigate the impact. This also includes hunt strategies where bad actors who have infiltrated the network can be found and evicted as quickly as possible. Additionally, employees must know who to contact and report to when the system detects a cyberattack.

Conclusion

Leaders in the energy sector have enough to worry about to keep the energy flowing. Cybersecurity shouldn’t be on this list too. The ultimate aim of cybersecurity in the energy sector is to ensure that attacks do not result in real-world impact. Again, it must be noted that the end goals of cybercriminals aren’t always financially motivated, especially those targeting the energy sector. Attacks can be motivated by many factors.  Regardless of the reason, there are ways to prevent cyberattacks.

About the Author:

Image

Gary Stevens is an IT specialist who is a part-time Ethereum dev working on open source projects for both QTUM and Loopring. He’s also a part-time blogger at Privacy Australia, where he discusses online safety and privacy.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.