A Holistic Approach to Cybersecurity Important To Safeguard Energy Sector

Power Engineering | February 12, 2020

  • The energy industry in the United States is critical to its infrastructure and industrial success, but it is also a prime target for cyber-attacks.

  • The Government Accounting Office 2019 report blamed the DOA for its failure to develop a comprehensive cybersecurity strategy.

  • To proactively safeguard power systems, updating operating systems, and applying patchworks immediately, would be a good cyber hygiene practice.

Foreign adversaries and individual bad actors are a constant threat to our electric power grid. There is an escalating threat to their cybersecurity from malicious and disrupting in our increasingly digitized critical energy infrastructure. The concern is even more serious in the current times of increased consumer interconnectedness with the energy grid.



We rely on the energy and utility industry every day. The constants of modern life like traffic lights that guide us on our daily commutes, the air that conditions our homes and office spaces, and the cell phones and computers we use to communicate are all powered by the energy grid. Only until one day, when the grid might fail.



Energy Sector Vulnerabilities


Though things will certainly return to normalcy in a matter of hours and it will be business as usual, with cyberattacks increasingly becoming a global threat, this particular outcome may not be one on which we can rely on.



The energy industry in the United States is critical to its infrastructure and industrial success. But it is also a prime target for cyber-attacks from nation-states, terrorists, and criminals looking to leverage the sector for their own political or economic aims.



As an integral part of national critical infrastructure, whether you’re a well-resourced criminal group looking to cause disruption and damage, a nation state seeking to spread your political message, or simply to posture on the world stage, the energy and utilities sector is an alluring target

-Andrew Tsonchev, Director of Technology, Darktrace Industrial

High-value energy industry assets and data as well as the sector's heavily automated and loosely protected processes, networks and organizations are enough to lure cybercriminals. Energy facilities and suppliers are vulnerable to damaging and costly attacks provided the low investments in digital risk management as compared to sectors like financial services.



Once a rarity, attacks targeting energy sector firms now happen with growing frequency. In 2017, a Russian APT group known as DragonFly 2.0 compromised the US and European energy companies and gained access to interfaces its engineers used to supply energy to homes and businesses. The same year, a virus was introduced remotely on controllers used in 18,000 power plants globally to regulate voltage, pressure, and temperatures in nuclear and water treatment facilities, almost triggering an explosion in Saudi Arabia. And nearly two years after malware jeopardized operations amid hurricane recovery, which was then quickly followed by a ransomware attack, a North Carolina utility provider is still recovering. More recently, a DDoS attack for more than 10 hours crippled the network of a company supplying power to consumers in California, Utah, and Wyoming.



Other industries have faced similar attacks but the stakes are high in the energy industry. Several hacking groups now can attack and compromise industrial control system environments. Hackers can gain access to a power grid, oil wells, generators, and other sensitive control users' credentials through successful phishing, malware, and other cyberattacks. Third-party attacks are another major concern as utility organizations in the US spend approximately 80% of the budget on external suppliers.



Cyber threat actors will continue to penetrate critical infrastructure in the US. With the increasing adoption of the Internet of Things, concerns about the vulnerability of the nation's power system will become even more pronounced. Increased vulnerabilities can also be attributed to a lack of robust security practices and employee training.



READ MORE: Security by sector: cyber-attack could create financial crisis, says ECB chief

A Farrago of Regulatory Bodies for Grid Cybersecurity


While the threat of cyberattacks raises concerns over the vulnerability of power systems, the responsibility for cybersecurity lies with five different regulatory bodies:



• The Federal Energy Regulatory Commission ("FERC")
• The Department of Energy ("DOE")
• The Department of Homeland Security ("DHS")
• The North American Electric Reliability Corporation ("NERC")
• The Transportation Security Administration ("TSA")



The farrago of regulatory bodies overseeing the security of the power grid has failed to keep pace with the emerging cyberthreats and have also added up to its increasing vulnerability.



A report by the Government Accounting Office ("GAO") issued last year, examined critical infrastructure protection and outlined the actions needed to address what it deemed "significant cybersecurity risks facing the electric grid." The report identified key "threat actors," increasing vulnerability resulting from "smart" interconnections, and discussed the potential impact on the grid based on the current lack of a coordinated cybersecurity plan.



The report made three key recommendations:



•DOE to develop a plan implementing national cybersecurity strategy including a comprehensive assessment of cybersecurity risks facing the grid;
• FERC to adopt changes to cybersecurity standards on the prevention, detection, and response to cyber events; and
• FERC to consider the potential risk of a coordinated cyberattack and assess whether mandatory reporting thresholds are warranted.



The GAO report blamed the DOA for its failure to develop a comprehensive cybersecurity strategy.



The guidance the plan provides decision-makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited.

- The Government Accounting Office

Moreover, siloed agency reporting has resulted in a lack of sharing among these agencies; they do not even have the same interpretation of what constitutes a reportable event, leading to what FERC has called a "reporting gap." In 2018, for example, NERC reported zero cyber events, DOE reported four events, and DHS reported 59. While rules recently adopted by FERC will broaden and standardize reporting requirements, gridlocked discussions on Capitol Hill regarding which agency will lead efforts to protect the nation's power system leave it vulnerable.



Achieving Energy Sector Cybersecurity


Organizations can avoid being implicated in breaches and outages using a few simple steps.



1.Understanding the common attack vectors that affect energy utilities the most


The Energy sector is known to be slow at updating infrastructure and process software, making it a prime target for DDoS and exploit attacks. Updating operating systems and applying patchworks immediately would be a good cyber hygiene practice to proactively safeguard against compromises. Constantly monitoring for risk via open-source threat intelligence can help organizations learn more about attack patterns and threat actors, which industries or companies are being targeted and whether criminals are in the planning stages of an attack before an incident occurs.



2. Effective Cybersecurity Awareness Training



Cybersecurity Awareness Training is an essential action that organizations can take to keep corporate users safe on the network. Employees should be trained to identify phishing, ransomware, social engineering, and other threats to keep information and accounts secure and mitigate the risk of a breach. Attackers create phishing emails that contain malicious links to trap employees. Employees should be trained to avoid clicking on unsolicited links and pop-ups on emails, social media, and from unknown sources. Training to report such suspected security incidents should also be encouraged. Additionally, restrict employees’ access to only the data and systems those individuals need to do their jobs. This limits the attack surface and can reduce damage and incident remediation costs should a breach occur.



3. Reducing Third-Party Risks


Organizations need to understand vendors' security posture by evaluating suppliers and vendors before engaging them as part of the contract and throughout the relationship to reduce third-party risks. Ask questions to identify their potential exposure areas, technical controls to data and systems, network segmentation practices and authentication tools used. After determining cybersecurity practices and enforcement capabilities a baseline can then be set for continuous partner monitoring, protecting sensitive data from unauthorized access that might result from gaps in extended parties’ and partners’ security infrastructure or networks.



The energy is continuously susceptible to the ever-evolving cyberthreats and threat actors trying to gain access to their networks each with the potential to expose ultra-sensitive data or bring critical infrastructure to a halt. While there is no guaranteed safety from malicious threats or compromise, a strategic and holistic approach to cybersecurity is the way to safeguard against them. Organizations in the energy industry can prevent an attack from becoming a crisis by keeping informed of the latest security threats and maintaining visibility into their and their third-parties' information security infrastructure along with maintaining a proactive cyber defense and a strong culture of cybersecurity awareness.



READ MORE: Managing cyber risk in the electric power supply

Spotlight

This IDC Executive Brief will discuss the evolution and challenges of data protection for virtual environments and how a modern data protection solution can enable both virtualization professionals and storage managers to perform successful backups, but more importantly guaranteed restores.

Spotlight

This IDC Executive Brief will discuss the evolution and challenges of data protection for virtual environments and how a modern data protection solution can enable both virtualization professionals and storage managers to perform successful backups, but more importantly guaranteed restores.

Related News

DATA SECURITY

CyberMDX Joins the Microsoft Intelligent Security Association

CyberMDX | April 21, 2021

CyberMDX, a leading healthcare cybersecurity provider that provides visibility and threat prevention for medical devices and clinical networks, announced today that it has joined the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors and managed security service providers that have integrated their security solutions with Microsoft to better defend against a wide range of threats. CyberMDX's leading Healthcare Security Suite has been integrated with Microsoft Defender for Endpoint to provide robust visibility and incident management for medical devices and IoT. The integration combines CyberMDX's unmanaged network visibility and identification capability with Microsoft Defender for Endpoints' single pane of glass view of the managed network to provide healthcare organizations with unrivaled cross-platform device visibility, classification, and incident response capabilities. The built-in automation allows security teams to go from warning to remediation in minutes and at scale. Customers will benefit from CyberMDX's ability to automatically identify and label unmanaged clinical assets, such as medical equipment and IoMT, to establish an accurate inventory of all connected devices within the network, in addition to the visibility benefits and identification capabilities. About CyberMDX CyberMDX is a medical cybersecurity pioneer and the firm behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and defends wired medical equipment, preserving resiliency, patient protection, and data privacy. Risks are quickly mitigated and assets streamlined with CyberMDX's continuous endpoint discovery and mapping, comprehensive risk management, AI-powered containment & reaction, and operational analytics.CyberMDX is a medical cybersecurity pioneer and the firm behind the leading IoMT visibility and security solution. CyberMDX identifies, categorizes, and defends wired medical equipment, preserving resiliency, patient protection, and data privacy. Risks are quickly mitigated and assets streamlined with CyberMDX's continuous endpoint discovery and mapping, comprehensive risk management, AI-powered containment & reaction, and operational analytics.

Read More

DATA SECURITY

Vulcan Cyber Makes a New Cloud Security Module for Risk-Based Remediation Platform

Vulcan Cyber | July 26, 2021

The only risk-based remediation platform for developers for infrastructure, application, and cloud security, Vulcan Cyber®, has announced today that the new Cloud Security module of Vulcan Cyber provides a consolidated view across traditional IT infrastructure and cloud application environments cyber risks. With various inputs from the AWS Security Hub Identity, Aqua Security, and Access Management (IAM) service, the module will enable IT security teams, to prioritize, consolidate, track, and remediate all cyber vulnerabilities. Within a single platform, Vulcan Cyber Cloud Security supports enterprise cloudsec teams to manage and remediate cloud configurations in container and Kubernetes deployments, Microsoft Azure, Amazon Web Services, Google Cloud, and more. By adding cloud configuration data to the Vulcan Cyber risk-based remediation platform, the company is deepening the vulnerability and risk insights and control available to users, offering the only remediation orchestration capabilities for all sources of digital risk, including IT networks, infrastructure, application surfaces, and cloud. The update expands the reach of Vulcan Cyber customer risk remediation efforts to include any cloud environment for a full measure of cyber risk in enterprises. IT security teams can identify and mitigate various risks and vulnerabilities generated by human error in cloud environments using Vulcan Cyber Cloud Security. The new Cloud Security module of Vulcan Cyber is available in beta now, and, in August, it will be generally available to Vulcan Pro and Vulcan Enterprise customers. About Vulcan Cyber Vulcan Cyber developed the industry's first risk-based remediation platform. It was built to help businesses reduce cyber risk through the measurable and efficient cloud and application security programs and infrastructure. The Vulcan platform orchestrates and tracks the remediation lifecycle from scan to fix by curating and delivering the best remedies, prioritizing vulnerabilities, and automating processes and fixes through the last mile of remediation.

Read More

DATA SECURITY

Malicious actors in the hospitality industry reserving their cyber attacks

tripwire | January 31, 2021

Digital assaults that lead to information penetrates are getting progressively basic in all ventures, yet there are particular kinds of organizations that are more helpless than others. The cordiality business specifically is perhaps the most probable enterprises to be focused by cybercriminals notwithstanding retail and account. It just bodes well that the movement business would be a particularly tempting objective for malevolent entertainers. All things considered, what number of businesses do you are aware of that save duplicates of full lawful names for reservations, relate with their clients by means of email for affirmations and store Mastercard data for quite a long time or even a very long time ahead of time before a forthcoming stay? Add this to the way that cybercrime has risen definitely since the pandemic hit. It's not difficult to perceive any reason why; 78% of network safety experts at organizations have been taking extra protects this year. In this article, we will talk about the huge danger confronting travel organizations today and stress the significance of utilizing advancements that eliminate hazards and secure put away delicate information. We'll additionally address how travel organizations can deal with fix their digital protection conventions and guarantee clients that their data is protected.

Read More