In the face of widespread disruption driven by economic, regulatory and consumer forces, the energy sector is increasingly adopting digital technologies to transform the industry and bring it into the future. However, this move to modernization can unintentionally expose organizations to a range of new security threats that must be addressed.
Digital Transformation–A Move to the Modern
A recent survey by Deloitte found that 95% of energy executives believe that ‘Digital transformation is a top strategic priority." Utilities and power companies are increasingly adopting cloud computing, IoT, robotic process automation (RPA), and more to help create new revenue streams and improve distribution and customer engagement. However, this move to new digital technologies requires utilities to integrate and connect more of their services, bringing old technologies online for the first time and potentially creating risks along the way.
While it's a very exciting time for the industry, it's not one to approach lightly. To fully realize the benefits of these initiatives, energy/utility companies need to couple the adoption of new technologies with a risk assessment of the security vulnerabilities that can be created in the process.
Traditionally, energy companies have relied on "air gapping" security techniques to physically separate operational technology from networks, but these new technologies require connectivity making these traditional methods obsolete and creating a need for more modern solutions.
Securing the new digital era starts with an understanding of the attack surface, where vulnerabilities exist and are created, and the ability to prioritize and focus security initiatives to reduce risk. Digital transformation projects have the power to fundamentally alter how the energy sector operates and they need a security strategy to match – one that has active support from the top down and focuses on three key areas.
Busting the Kill Chain
According to the 2019 CyberArk Global Advanced Threat Landscape, which surveyed business leaders at 1,000 organizations, 53% of respondents suffered business impact from a cyber-attack in the last three years. Additionally, 45% of energy/utilities organizations believe they can't prevent attackers from breaking into their internal networks and 67% believe that they are susceptible to carefully crafted attacks (e.g. a tailored phishing email).
As we've seen in every industry, preventing attackers from infiltrating a network is an exercise in futility. Motivated attackers will always find a way to penetrate the perimeter and gain a foot-hold, which is why it's important to prepare for security incidents by expecting an infiltration and taking steps to mitigate attack progression.
Once inside a network, attackers generally look to exploit privileged access, which allows attackers to easily move across the infrastructure, retrieve targeted assets, exfiltrate data, and more. This is a particularly effective strategy for attackers targeting the energy sector because locking down privileged access has proven to be a major area of weakness for this industry. While 82% of respondents to the Threat Landscape survey recognize the critical importance of privileged account and credential security in their overall security posture, only 29% currently have privileged access management solutions in place for industrial control systems.
That being said, 28% are planning–in the next 24 months–to dedicate budget toward preventing privilege escalation. While that's a good start, it's important for all companies, energy/utility included, to look to prioritize tools and strategies that can help prevent a foothold from escalating into a full-blown takeover. By busting the cyber kill chain, companies can regain control by disrupting attack patterns and thus limit potential damage.
Understanding Where Privilege Exists
While energy/utility organizations understand the importance of privileged access management, identifying everywhere privileged accounts and credentials exist is still a major problem.
Digital transformation technologies, like cloud services, microservices, containers and RPA processes often require privileged credentials to perform tasks and new credentials are automatically created as instances are established. These powerful credentials could provide an adversary with the "keys to the kingdom" that can lock a power company out of, and eventually disconnect them from, their network.
When thinking of privileged access, most organizations think about human admin access and are unaware of the risks new technologies can represent. Only a small portion of those surveyed are aware that privileged accounts and credentials exist in microservices (20%), containers (21%) and applications and processes such as RPA (30%). This is a major problem in the world of cybersecurity because you can't mitigate risks if you don't know where they exist, and most companies are in the dark.
There is, however, an understanding that securing these areas has to be a top priority. Fifty-two percent plan to increase investment in securing cloud, 47% plan to increase spending on IoT, and 42% plan to increase spend on SaaS applications. By understanding where risk exists, organizations can better align their budgets towards more effective security programs.
Prioritizing Privileged Access for Key Processes
Since there is a willingness to allocate security spend on new technologies and processes, it's important that organizations understand which security strategies will deliver the best value and mitigate the most risk. Privileged accounts and credentials can exist anywhere and the attack surface is continually expanding with the growth of RPA, IoT, DevOps environments and cloud, so employing strong privileged access controls is an obvious place to start.
To do that, however, organizations need to take an inventory of their accounts, identify those that could cause the most damage if they were compromised, and lock them down. In the end, an attacker does not particularly care which privileged account they are compromising if it represents a pathway to the most valuable information.
Innovation doesn't come without its challenges and changing business processes, particularly traditional practices like air-gapping that has been relied upon for so long, doesn't come without growing pains. Adopting new technology to support digital transformation efforts often means incurring increased risk and creates a need to embrace new approaches to security. By understanding the modern attack surface and the role privileged access security plays in protecting critical infrastructure and systems, energy companies can make informed technology investments that deliver the agility they want and the strong protection of critical IT assets they need.
–Bryan Murphy is director of Consulting Services–Americas at CyberArk, a security software company.