Critical infrastructure in the power and energy sector in particular is facing an increase in cyber threats. This isn’t a surprise, as hackers can cripple anything, from an organization to a nation state, by taking down its power and energy infrastructure.
While many power and energy organizations have ramped up their security practices, the adversaries have done better. Cyber threats are constantly evolving, and hot-button technologies such as mobility and cloud computing are implemented before they are secured. Many executives in the power and energy sector are hesitant to share security intelligence, forgoing offensive solutions against dynamic, targeted attacks.
These companies need to take the security issue more seriously; a cyber incident within the power and energy sector can have catastrophic consequences, which can affect financial performance (stock price, credit rating), productivity (manhours), incremental costs (regulatory fines), hidden costs (liabilities), and lost reputation.
Security breach incidents
Just 2 months ago, the US Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team issued a report confirming several attacks on public utility companies. An unnamed company was breached by a sophisticated threat actor who utilized software used within the sector to gain access to control system assets.
The systems were using a simple password mechanism and an authentication method that was susceptible to brute force techniques. It was also determined that the systems were already exposed to a number of security threats as they lacked appropriate security controls and threat-detection capabilities.
Another incident revealed that a sophisticated adversary used a cellular modem to access the control system server through a typically weak protocol: supervisory control and data acquisition (SCADA). There were no authentication access controls or firewalls in place, therefore the device could be directly accessed over the internet.
Such incidents highlight the need for monitoring capabilities and cyber intelligence to prevent adversaries from discovering system loopholes and using them as targets of opportunities. Daily Tech says that the vulnerability of power and energy companies to cyber threats is a real worry for the electric grid.
Power companies mostly use SCADA networks to control their systems, which are manufactured to ensure that the grid functions efficiently, but are not necessarily secure. So a large-scale cyber attack could lead to significant costs, triggering power outages of the electric grid and causing delayed disruptions in food and water suppliers, communications, and healthcare delivery. Also, cyber threats are more daunting to address than traditional threats faced by the electric grid’s functionality, such as severe weather.
Advanced grid technologies may provide new efficiencies, but also increase challenges when it comes to cyber threat protection, because the transition to digital systems and controls creates new threat vectors for utility systems. And given the rapid pace at which cyber risks evolve, it is nearly impossible to foolproof the electric grid from all cyber threats.
Beyond common practices
In many ways, the energy and power companies are in a stronger position to address cyber threats than other critical infrastructure sectors, as they already have to comply with enforceable standards: The Security and Exchange Commission and the Federal Energy Regulation Commission oversees The North American Electric Reliability Corporation, which develops and maintains standards that apply to the energy and power sector. Companies have been advised to adopt new standards that address cyber security oversight as compulsory practices.
However, while these regularly authorities set the baseline for cyber threat prevention, they do not necessarily create incentives for continual adaptation and measures needed to respond effectively to evolving cyber threats. The compliance with standard may also take attention and resources away from investment in comprehensive security, so there is a clear need for a personalized intelligence platform like Massive’s Strixus Cyber Threat Assessment™.
Cyber threats on critical infrastructure, along with regulatory scrutiny, are only likely to grow. Energy and power operators will need to remain diligent with the help of pointed intelligence that covers the full spectrum of data loss and attack intelligence plus trends and hotspots in the sector to protect vital data and assets from outside threats.