Cyber-crime is one of the biggest threats organizations face. Computers control almost everything we do, from the level of chlorine put into our water to the electricity supply into our town. Hackers are fully aware of this, and they understand if they infiltrate these systems or do anything to jeopardize the supply of these utilities, it wouldn’t take long before chaos erupted.
Cyber-criminals are constantly looking for new targets and energy companies can deliver significant return on investment. A cyber-criminal, for example, could hold a country at ransom by stopping its gas supply. This illustrates how cybercrime can be an extremely profitable business, and depending on the scale of an attack, hackers have the potential to earn millions of dollars and cause plenty of damage.
Unlike with a retail company, which risks losing customer credit card data and personal information, the primary concern for cyber-attacks against energy companies can easily become a safety issue, and a successful cyber-attack can cause actual physical harm to people. Thankfully, that is a line we haven’t seen crossed yet.
Attackers know if the national power grid were to go down, it would cost many hundreds of millions of dollars per hour and, in the case of hospitals or air-traffic control systems, for example, any disruption to services could place people’s lives in jeopardy. Attacks targeting oil and gas infrastructure could potentially cause situations like oil spills or reprogram logic controllers to create dangerous situations by opening a valve or changing a temperature setting.
Because of the devastating consequences any cyber-attack on these systems could have, the key question we need to ask ourselves is, “How do we make energy companies more secure?”
Until recently it was easy to ignore industrial systems because they had traits that made them mostly immune to the kinds of threats IT networks faced. Simply put, the systems were not connected to the IT network. In the earlier days, they were not even on a network at all, but rather connected through serial communications. Once networking was adopted, a complete air gap still existed between the IT and OT networks, and the latter used proprietary protocols that no attackers understood.
You might remember this is the same network evolution that took place on the IT side, and we know where that ended – with every device interconnected and communicating over standard protocols.
Today, however, it is an entirely different story. Experts say that it is not a matter of “if” but “when” a successful cyberattack against a utility will cause widespread damage. There have been a growing number of published vulnerabilities against industrial control systems, with over 150 new vulnerabilities made public in the last year alone. In addition, more hacking incidents than ever are being reported; there were at least 245 cyber-attacks against energy organizations in the last year, with many more unreported.
There is no shortage of malicious individuals wanting to cause damage through a cyber-attack – from terrorists, to nation-states, to hacktivists. Unfortunately, the methods to do exactly that are readily available on the Internet. The risk is real, and the time to act is now, before these attacks make front-page news, similar to the attacks against governments, retail stores and healthcare institutions.
ICS-CERT, a team within the federal Department of Homeland Security that focuses on industrial security, has been monitoring and sharing intelligence about industrial control system threats since 2010. In that time, it has published over 800 advisories relating to security issues, vulnerabilities and exploits. While everyone in security knows about the Stuxnet attack, there have been numerous reports of other attacks against industrial systems.
In fact, a recent survey by Tripwire of 400 executives and IT professionals in the energy, oil, gas, and utility industries found there is widespread agreement the cyber threat is real. Of executives responding to the survey, 94% said their organization is a target of cyber criminals, and 83% of all respondents believed such an attack could cause serious physical damage.
Experts, however, are also skeptical of some of the survey results. While the majority responding believed their organization would detect an attack within 24 hours, most industry research shows most cyberattacks often take months to discover. Once discovered, the news isn’t much better. ICS-CERT found that in the majority of industrial incidents, the root cause is never determined due to a lack of monitoring of the affected systems prior to the event.
Energy companies are revisiting security strategies in light of these risks. Executives looking for best practices and industry standards are finding several emerging options. IEC 62443 (formerly known as ISA 99) provides a series of guidance for bringing security controls to industrial systems that are often lacking controls. A newer industry group, the Industrial Internet Consortium (IIC), has also started a security working group to address these issues. In the United States NIST recently published an updated guide to Industrial Control Systems Security – NIST SP-800-82 R2.
Regardless of the acronyms and numbers, all of these standards ultimately prescribe the same three things – adding controls to protect critical systems from attack, putting monitoring in place to detect attacks, and having a plan and process to respond effectively when an attack happens.
Action is taking place in many energy organizations today. But is the change happening fast enough? A major security incident could prove it is not, but in many other industries, a major breach has acted a catalyst for change.
Often these mega-breaches force attention on security initiatives and shift budget and resources priorities necessary to effectively implement needed initiatives. Organizations that focus on staying ahead of attacks are investing now to avoid being the name in the headlines when a major utility breach finally transpires. While it’s impossible to predict just how soon an incident like that might come, those who wish to do harm don’t appear to be going away anytime soon.
Addressing security concerns and building more secure industrial environments will help companies benefit from the efficiency and productivity gains that come from our increasingly interconnected world.
Author: David Meltzer is chief research officer at Tripwire (www.tripwire.com). He has spent the last two decades protecting organizations from the world’s most sophisticated cyber attackers. Meltzer holds a bachelor’s degree in computer science from Carnegie Mellon University.