When Thomas Edison said, “We will make electricity so cheap that only the rich will burn candles,” you wonder if he envisioned how essential it would become to daily life. Energy is so important that it is considered part of our critical infrastructure. And that’s what makes it an attractive target for cybercriminals.
The number of attacks on the energy sector is on the rise and far exceeds other critical infrastructure sectors as reported by the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The report indicates that 54% of all attacks investigated in the eight months ending in May 2013 were targeting energy companies – an increase from 41% during the preceding 12 months. Other sectors considered critical infrastructure and included in the report are critical manufacturing, the next closest at 17%, communications, transportation, water, nuclear, and government facilities among others.
The control networks energy companies rely on to operate and automate processes are complex and ever-expanding. Moving from serial to routable protocols simplifies connectivity but also exposes the network to greater risk because attackers don’t need to physically connect to the target to gain entry. The Internet of Things will further expand connectivity to a proliferation of devices, creating additional opportunities for attackers to seize on new vulnerabilities and gaps in cybersecurity to gain access.
The recent passing of NERC CIP version 5 demonstrates that the industry recognizes the rising risk to these networks and is seeking ways to mitigate and manage it. With widespread, serious ramifications of a breach and fines of up to $1 million per day per violation, energy companies are taking action. However, it is important to note that in this new reality of sophisticated and targeted attacks, while lack of compliance compromises protection, being compliant doesn’t equate to being safe.
The DHS report found that the majority of incidents targeting the energy sector involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. Two of these methods rely on the human element to introduce malware and, as demonstrated by Stuxnet, air gaps are also being crossed due to human missteps. Clearly, perimeter-based defenses and techniques are being evaded. Once inside the network, attackers are free to act as they please. Companies need to identify new ways to deal with these advanced cyber attacks that take advantage of a greater attack surface, unsuspecting users, and increasing complexity with the network.
To further complicate the problem, information technology (IT) security solutions in use on the corporate network can’t be deployed interchangeably to protect the control network. The two management teams have different priorities. IT is typically focused on data protection while the control network operations technology (OT) team must put availability and reliability first; cybersecurity controls are important but not at the expense of availability and reliability. When control networks fail, there are very real risks posed to human life, environmental safety and the economy.
So what types of capabilities should energy companies look for to better defend against advanced attacks to control networks? It isn’t a matter of simply spending more, as many organizations have already allocated significant resources to cybersecurity and are still getting attacked. It’s a matter of shifting the mindset from “if” to “when” an attack will happen. Policies and controls are essential to reduce the surface area of attack, but threats still get through. As a result, technologies must also be able to detect, understand, and stop threats that have penetrated the network. This requires a new approach to cybersecurity that doesn’t rely exclusively on air gaps or point-in-time detection tools but addresses the full attack continuum – before, during, and after an attack.
Energy companies should seek out solutions with the following capabilities to help address each step across the attack continuum while satisfying their unique requirements.
Step 1: Before an Attack -To defend before an attack occurs, energy companies need a total inventory of the network and all its cyber assets – for example, applications, protocols, users, and devices, such as remote terminal units and programmable logic controllers. To eliminate the risk of disruption, the system must be able to passively profile control networks without being inline. Only by knowing everything that is on the control network can OT and IT security teams implement policies and controls to defend it.
Step 2: During an Attack -NERC CIP standards take a risk-based approach to security – risk assessment and management is the focus. Most energy companies don’t have a team of people they can deploy to follow-up on every potential event, manually assess the risk, and act accordingly. As a result, they can spend hours analyzing events that pose little to no risk in their specific environment. Technologies that notify of events with the right context, for example providing impact flags that distinguish between active attacks, suspicious activity, and background noise, will help prioritize efforts and assign resources to the threats that matter most.
Step 3. After an Attack -Invariably, attacks will be successful. Energy companies need to be able to mitigate the damage but also learn from the attack. Technologies like retrospective security help marginalize the impact of an attack by identifying point of entry, determining the scope, containing the threat, remediating and updating protections against future similar attacks. With this process and tools in place, energy companies can more easily generate reports to demonstrate NERC CIP compliance and pass audits.
The trajectory of attacks on the energy industry is eye-opening and likely to continue. NERC CIP standards provide a baseline from which to start. However, to truly address new and unique cybersecurity challenges, energy companies need to expand their approach with technologies that maintain availability and reliability while increasing protection along the full attack continuum.
Related: Cyber Attacks Targeted Key Components of Natural Gas Pipeline Systems
Marc Solomon, Cisco’s VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor’s degree from the University of Maryland, and an MBA from Stanford University.Previous Columns by Marc Solomon:Taking Aim at the Energy Sector: Three Steps to Defend Against a Rising Number of AttacksWhat do Malware and Mosquitoes Have in Common? More than You Might Think.The Open Source (R)evolution: From Great Technology to Greater IntelligenceFor Cyber Security Professionals, is the Concept of Control a Pipe Dream? A Cyber Security New Years Resolution: Simplify Security
Tags: INDUSTRY INSIGHTS