Each day, we depend on energy for almost every kind of activity imaginable. Energy is required to keep lights on, enable transportation around the world, allow hospitals to operate, power the internet, and much more. Also termed the Oil and Gas sector, it’s considered a critical infrastructure sector by most nations around the world. This is because a loss of energy can cause a debilitating impact on the quality of human life. The energy industry incorporates power supply, renewable energy R&D, oil and gas technology, nuclear energy, and other areas. The sector plays a crucial role in the global economy. Last year, the industry generated about $238 billion in revenue, an increase of about $25 billion from 2017. The lucrative nature has made it a prime focus of cybercriminals and digital fraud perpetrators. Both public and private entities have recorded severe losses associated with cyber-attacks and digital fraud prevention in the industry. Loosely secured and heavily automated endpoints further bolster cyber risks in energy.
Example breaches and threats targeting the energy sector
- Energy organizations hit with Advanced Persistent Threats: The industry is an attractive target for Advanced Persistent Threats or (APT) Actors. For example, Russian APT team DragonFly 2.0 hacked the US and the European energy enterprises a couple of years ago. This empowered the threat actors to gain access to power grids. The group also compromised the systems that help energy engineers to dole out commands to infrastructures that supply energy to homes and businesses. The same team also carried out notorious attacks against Ukraine’s power grid.
- Most APT activity, DragonFly, was masked on the company networks for years. It leveraged business email compromise attacks and harvested credentials from hacked devices, which assisted them in gaining remote access to critical infrastructure. From there, they were able to take images of the control panels of the power grids and leverage those resources to disrupt critical assets.
- North Carolina utility provider hit with ransomware attack: ONWASA, a utility service provider in Carolina, had its endpoints compromised by the notorious Emotet malware during the recovery period from Hurricane Florence. While security specialists were brought in to salvage the situation, it was again hit about ten days later by a ransomware strain called Ryuk. Unfortunately, the technology team was unable to contain the fast-spreading malware, and the provider was faced with the potential of operational impact. The organization turned down the request to pay the ransom and instead collaborated with DHS and FBI to take action. Thankfully, the attack did not limit the organizations’ ability to provide the utility; otherwise, the consequences could have been debilitating for the community the provider services.
Increasing cyber risk in the energy sector
A 2019 report by Deloitte disclosed that the energy sector is one of the most targeted industries. Just a few years ago, 20% of the incidents reported in 2016 were within the energy sector. The other two industries that recorded close to that were communications and critical manufacturing. This issue is not common only in the US. The industry has been heavily targeted in Australia, Europe, Japan, and other countries around the world.
The electrical power sector is most targeted by nation-state actors, organized criminal groups, and hacktivists. Often including supply chain attacks, these usually result in financial theft, fraud, operational disruption, reputational damage, impact to critical infrastructure, and regulatory consequences.
Beyond critical infrastructure security and safety, digital fraud is one of the most alarming concerns in the energy sector. A report of digital fraud affirmed that the energy sector faces the highest consequential costs when it comes to digital fraud, outpacing the banking and finance sector, as well as many others.
Ways to address the most significant risks in the Energy sector
As the sector continues to embrace digitization, industrial IoT, and more, the attack surface for the industry has evolved. The sector has everything that an attacker could be looking for, from data to critical assets that can impact life. In response, energy companies must prioritize cybersecurity.
The first step for all companies in this sector is to create a strategy based on robust and layered security technology and processes, such as intrusion detection, prevention and response solutions, supply chain security, firewalls, anti-virus, and more. Also, make sure you have the right resources to deliver on the strategy and be sure to educate your employees and customers on cybersecurity best practices. Remember that the success of attacks in this sector is attributed mostly to phishing emails, and employees can help avoid these attacks by being vigilant.
On a more tactical level, minimize cyber vulnerabilities across endpoints by understanding the often complex asset environment, included mobile assets, IoT, and beyond. Know how critical they are to operations, the risks they face, and how they are protected. Prioritize based on criticality and the level of protection. Make sure that at a bare minimum, you are maintaining good security hygiene. For example, a common risk in control systems is having a default hardcoded passphrase, which can quickly be figured out by attackers. Make sure that default passwords are changed. Another example is to prepare for ransomware attacks by having adequate backups of data, as well as a ransomware detection and response plan. These are necessary actions that can help increase security.
The energy sector makes the world go round. Successful attacks against the industry can impact not only financial health or reputation within an organization but also the potential to impact human life. As such, the energy sector must invest in continually improving cybersecurity to address evolving threats.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.