Delivering energy has centered on the fundamental tenant of being reliably available. As energy providers strive to maintain that availability, they all too often push security to the backburner. Many unsafe practices have fallen into place for the sake of speed and efficiency, including the use of default and shared passwords, open access, and little oversight. Many systems have been put into production and stayed in place well beyond the vendor's intended support lifecycles. This situation has resulted in systems that are end-of-life, no longer receiving patches or updates despite known security flaws. Unfortunately, many organizations have also built security around the assumption of air-gapped networks, which is proving to be insufficient as more and more devices become interconnected.
Today's energy industry has undergone rapid digitalization, presenting attackers with new attack surfaces to exploit. The emergence of smart grids and smart devices have made the sector an attractive target. And yes, cybercriminals have taken notice. The World Energy Council notes in its latest World Energy Congress report that there has been a "massive" increase in the number of successful cyberattacks in recent years, and the organization fears that those in the industry may be unprepared to deal with new and emerging threats.
This state of affairs has not gone unnoticed by the United States government. In 2017, President Trump issued an executive order demanding stronger cybersecurity of critical infrastructure. In response, the Department of Energy released a five-year strategy to more-effectively combat the risk of power disruptions caused by cyberattacks, focusing on threat-sharing, supply chain risks, and research and development of more resilient energy systems. Organizations, such as the National Institute of Standards and Technology (NIST), have also released updates to and new drafts of their security frameworks to provide guidance on securing energy environments and for adding better in-network threat detection with security controls based on deception.
The world has already seen the potential fallout that cyberattacks on the energy sector could cause. It has also seen the rise of some "alarmingly simple" security exploits, like the one that disrupted California energy operations in March. Each incident serves as a warning sign that the industry needs stronger, more-reliable protections.
While it is heartening that the government has made cybersecurity in the energy sector a priority, it goes without saying that organizations should only rely on compliance as a baseline standard. There are several steps that defenders can take to reduce risk and better protect their assets. Some may be viewed as basic hygiene, while others will be driven out of necessity, enabling organizations to detect and identify sophisticated attackers with the desire to endanger human safety, service reliability, or economic stability.
NIST and other security frameworks follow a fundamental structure of "identify, protect, detect, respond, and recover." The section below covers related activities and some of the solutions being put into place to address cyber risk.
Activity: Develop a better understanding of how to manage risks associated with the systems, data, and capabilities that the organization's critical infrastructure include.
Action: Identify the systems, devices, users, data, and facilities that support daily business processes, and appropriately prioritize them. Ensure that the organization's business environment and governance align with essential security goals, and employ effective risk assessment tools and risk management strategies.
Activity: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
Action: Properly segment networks, patch systems, remove default or shared passwords, and monitor for unauthorized access or activity.
Activity: Establish appropriate tools and activities to identify the occurrence of a cybersecurity event.
Action: To detect lateral movement and credential theft, detection needs to occur not only at the perimeter but also within the network. Per the recent draft, setting deceptive decoys and lures for misdirection provides useful safeguards for alerting on and derailing attacks.
Activity: Put appropriate programs, processes, and tools in place to take action regarding a detected cybersecurity event.
Action: Assess current tools and their accuracy and efficacy toward responding quickly. Detection tools that also gather and correlate threat and adversary intelligence can be valuable in generating substantiated alerts, company-specific intelligence, and reducing response time. Detection tools that also offer native integrations for automated blocking, isolation, and threat-hunting will simplify and accelerate incident response. Controls that share data seamlessly can also be instrumental in making sure the threat is eradicated and can't resurface in another part of the network. Organizations should continually pressure test tools and processes and conduct incident dry-runs to ensure familiarity, so as not to be put in a situation where teams are learning while responding.
Activity: Maintain plans for resiliency and the ability to quickly restore any capabilities or services that suffered impairment due to a cybersecurity event.
Action: Remediation can be complicated, depending on the amount of information gathered upon attack detection. Using detection tools that can capture indicators of compromise (IOCs); generate forensics; and deliver tactics, techniques, and procedures (TTPs) will save significant time in determining where the threat started and what the attacker was after. It will also enable the ability to hunt for other footholds the attacker may have established. Several security vendors also provide solutions that integrate and share data to forward directly into ticketing systems, eliminating time and delays in remediation. Having the right detection, response, and recovery processes in place can also accelerate a security team's ability to disclose more quickly how expansive a breach was and if there are any needs for further disclosure.
In addition to having these plans in place, a healthy best practice is to have security teams score their efficacy in each category against expected forms of attack. Determining which areas are weak against an attack type or surface can provide useful guidance on where to further invest in resources. This risk baseline also serves as an effective way to communicate to executives or a board what needs to be improved and why.
As potential attack surfaces grow and attacks become more sophisticated, having a comprehensive security program has never been more critical. Following a security framework–and identifying security gaps–will strengthen the industry's cybersecurity capabilities and better protect both organizations and their customers from security events as small as an inconvenient service disruption or as big as a full-blown catastrophe with material safety or financial consequences.
–Carolyn Crandall is Chief Deception Officer and CMO with Attivo Networks.