A Holistic Approach to Cybersecurity Important To Safeguard Energy Sector

• The energy industry in the United States is critical to its infrastructure and industrial success, but it is also a prime target for cyber-attacks.

• The Government Accounting Office 2019 report blamed the DOA for its failure to develop a comprehensive cybersecurity strategy.

• To proactively safeguard power systems, updating operating systems, and applying patchworks immediately, would be a good cyber hygiene practice.

Foreign adversaries and individual bad actors are a constant threat to our electric power grid. There is an escalating threat to their cybersecurity from malicious and disrupting in our increasingly digitized critical energy infrastructure. The concern is even more serious in the current times of increased consumer interconnectedness with the energy grid.

We rely on the energy and utility industry every day. The constants of modern life like traffic lights that guide us on our daily commutes, the air that conditions our homes and office spaces, and the cell phones and computers we use to communicate are all powered by the energy grid. Only until one day, when the grid might fail.

Energy Sector Vulnerabilities

Though things will certainly return to normalcy in a matter of hours and it will be business as usual, with cyberattacks increasingly becoming a global threat, this particular outcome may not be one on which we can rely on.

The energy industry in the United States is critical to its infrastructure and industrial success. But it is also a prime target for cyber-attacks from nation-states, terrorists, and criminals looking to leverage the sector for their own political or economic aims.

As an integral part of national critical infrastructure, whether you’re a well-resourced criminal group looking to cause disruption and damage, a nation state seeking to spread your political message, or simply to posture on the world stage, the energy and utilities sector is an alluring target

-Andrew Tsonchev, Director of Technology, Darktrace Industrial

High-value energy industry assets and data as well as the sector's heavily automated and loosely protected processes, networks and organizations are enough to lure cybercriminals. Energy facilities and suppliers are vulnerable to damaging and costly attacks provided the low investments in digital risk management as compared to sectors like financial services.

Once a rarity, attacks targeting energy sector firms now happen with growing frequency. In 2017, a Russian APT group known as DragonFly 2.0 compromised the US and European energy companies and gained access to interfaces its engineers used to supply energy to homes and businesses. The same year, a virus was introduced remotely on controllers used in 18,000 power plants globally to regulate voltage, pressure, and temperatures in nuclear and water treatment facilities, almost triggering an explosion in Saudi Arabia. And nearly two years after malware jeopardized operations amid hurricane recovery, which was then quickly followed by a ransomware attack, a North Carolina utility provider is still recovering. More recently, a DDoS attack for more than 10 hours crippled the network of a company supplying power to consumers in California, Utah, and Wyoming.

Other industries have faced similar attacks but the stakes are high in the energy industry. Several hacking groups now can attack and compromise industrial control system environments. Hackers can gain access to a power grid, oil wells, generators, and other sensitive control users' credentials through successful phishing, malware, and other cyberattacks. Third-party attacks are another major concern as utility organizations in the US spend approximately 80% of the budget on external suppliers.

Cyber threat actors will continue to penetrate critical infrastructure in the US. With the increasing adoption of the Internet of Things, concerns about the vulnerability of the nation's power system will become even more pronounced. Increased vulnerabilities can also be attributed to a lack of robust security practices and employee training.

A Farrago of Regulatory Bodies for Grid Cybersecurity

While the threat of cyberattacks raises concerns over the vulnerability of power systems, the responsibility for cybersecurity lies with five different regulatory bodies:

• The Federal Energy Regulatory Commission ("FERC")
• The Department of Energy ("DOE")
• The Department of Homeland Security ("DHS")
• The North American Electric Reliability Corporation ("NERC")
• The Transportation Security Administration ("TSA")

The farrago of regulatory bodies overseeing the security of the power grid has failed to keep pace with the emerging cyberthreats and have also added up to its increasing vulnerability.

A report by the Government Accounting Office ("GAO") issued last year, examined critical infrastructure protection and outlined the actions needed to address what it deemed "significant cybersecurity risks facing the electric grid." The report identified key "threat actors," increasing vulnerability resulting from "smart" interconnections, and discussed the potential impact on the grid based on the current lack of a coordinated cybersecurity plan.

The report made three key recommendations:

•DOE to develop a plan implementing national cybersecurity strategy including a comprehensive assessment of cybersecurity risks facing the grid;
• FERC to adopt changes to cybersecurity standards on the prevention, detection, and response to cyber events; and
• FERC to consider the potential risk of a coordinated cyberattack and assess whether mandatory reporting thresholds are warranted.

The GAO report blamed the DOA for its failure to develop a comprehensive cybersecurity strategy.

The guidance the plan provides decision-makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited.

- The Government Accounting Office

Moreover, siloed agency reporting has resulted in a lack of sharing among these agencies; they do not even have the same interpretation of what constitutes a reportable event, leading to what FERC has called a "reporting gap." In 2018, for example, NERC reported zero cyber events, DOE reported four events, and DHS reported 59. While rules recently adopted by FERC will broaden and standardize reporting requirements, gridlocked discussions on Capitol Hill regarding which agency will lead efforts to protect the nation's power system leave it vulnerable.

Achieving Energy Sector Cybersecurity

Organizations can avoid being implicated in breaches and outages using a few simple steps.

1.Understanding the common attack vectors that affect energy utilities the most

The Energy sector is known to be slow at updating infrastructure and process software, making it a prime target for DDoS and exploit attacks. Updating operating systems and applying patchworks immediately would be a good cyber hygiene practice to proactively safeguard against compromises. Constantly monitoring for risk via open-source threat intelligence can help organizations learn more about attack patterns and threat actors, which industries or companies are being targeted and whether criminals are in the planning stages of an attack before an incident occurs.

2. Effective Cybersecurity Awareness Training

Cybersecurity Awareness Training is an essential action that organizations can take to keep corporate users safe on the network. Employees should be trained to identify phishing, ransomware, social engineering, and other threats to keep information and accounts secure and mitigate the risk of a breach. Attackers create phishing emails that contain malicious links to trap employees. Employees should be trained to avoid clicking on unsolicited links and pop-ups on emails, social media, and from unknown sources. Training to report such suspected security incidents should also be encouraged. Additionally, restrict employees’ access to only the data and systems those individuals need to do their jobs. This limits the attack surface and can reduce damage and incident remediation costs should a breach occur.

3. Reducing Third-Party Risks

Organizations need to understand vendors' security posture by evaluating suppliers and vendors before engaging them as part of the contract and throughout the relationship to reduce third-party risks. Ask questions to identify their potential exposure areas, technical controls to data and systems, network segmentation practices and authentication tools used. After determining cybersecurity practices and enforcement capabilities a baseline can then be set for continuous partner monitoring, protecting sensitive data from unauthorized access that might result from gaps in extended parties’ and partners’ security infrastructure or networks.

The energy is continuously susceptible to the ever-evolving cyberthreats and threat actors trying to gain access to their networks each with the potential to expose ultra-sensitive data or bring critical infrastructure to a halt. While there is no guaranteed safety from malicious threats or compromise, a strategic and holistic approach to cybersecurity is the way to safeguard against them. Organizations in the energy industry can prevent an attack from becoming a crisis by keeping informed of the latest security threats and maintaining visibility into their and their third-parties' information security infrastructure along with maintaining a proactive cyber defense and a strong culture of cybersecurity awareness.