Earlier this year, the European Commission is released funding for key European energy infrastructure projects - a crucial part of enabling the delivery of energy infrastructure in the transition to a climate neutral economy.
Now, more than ever, we need to ensure that all essential elements work together and balance functionality, sustainability, and security.
The Energy sector has, and always will have, a crucial role in the functioning of a modern economy. To offer enhanced, sustainable and more affordable energy services there is a greater need for connectivity from digital devices, platforms and grids.
The steady growth of this technological and industrial development across the Energy sector, and the increasing focus on interconnection and digitalisation, brings the sector to the forefront of cyber-attacks. Digitalisation might be the key to optimise the energy industry but the drive for digital innovation is introducing new risks.
According to an Accenture report on securing the digital economy, 79% of organizations that responded are “adopting new and emerging technologies faster than they can address related security issues.”
Within the Energy sector, the average cost (per organisation) of cyberattacks would rise from $13.2 (2017) to $13.8 (2018) - representing a 4% increase over this period. While cost or growth may not be as high in the Banking, Life Sciences or Travel sectors, as part of critical of economies and national infrastructure, the impact of a cyber-attack can have major consequences and it’s important that energy organisations consider a measured cybersecurity strategy as a top priority.
We reached out to Raj Samani, Chief Scientist and Fellow at McAfee, to find out more about the challenges, risks, and scenarios for cybersecurity in the Energy sector.
Question: The energy and the utility sector constitute a crucial part of infrastructure, are there any unique challenges which the sector faces?
Raj Samani: Traditionally, we have always observed challenges which are unique to this sector, not only in terms of the demand to remain continuously available, but also the very nature of the systems demands a key set of skills that are not necessarily readily available within a traditional cybersecurity skills market.
Q: Can you give an example of some potentially risky scenarios?
RS: We have seen some of these played out in real life – and perhaps quite worryingly, not too long ago. For example, the obvious examples would be Nantanz nuclear site in Iran, which suffered from a Stuxnet worm infection – as first uncovered in 2010. Ten years later, there have been other examples targeting Operational Technologies (OT), for In 2015, we also saw a significant attack against the Ukrainian Power Grid as the political situation escalated. Both examples demonstrate the impact of such risks being realised.
In more recent times, we have also seen the threat of ransomware towards critical national infrastructure (CNI) – an example of this has been the RagnarLocker attack on the energy sector where a £11.7m ransom was demanded earlier this year in exchange for 10Tb of private information. Whilst these attacks focus on the IT network, this year we have witnessed ransomware going after the production facilities at another company.
Q: Are these scenarios going to change in a covid/ post-covid environment?
RS: The use of offensive cyber-attack tactics doesn’t strictly demand physical interaction. Of course, with the appropriate air gaps it may necessitate the use of physical media such as a USB entry point vector, but broadly speaking, cybercrime is the one sector that is not negatively impacted by COVID and indeed, the economic situation.
Although it is worth noting the thwarting of the ransomware attack at Tesla was done using USB as an initial vector, so this threat certainly still exists.
Q: How should security risks in the energy supply chain managed?
RS: An approach that could be incorporated is the leveraging of the Digital Bill of Materials (DBOM). This could provide the necessary transparency for organisations that are involved with CNI, but this could and should be applied more broadly to ensure best practice across the board.
Q: How often should Industrial Control Systems be tested for vulnerabilities?
RS: Continuously, although the ‘how’ is still certainly very debateable. For example, testing systems for vulnerabilities in a responsible way should be something that is not only encouraged but also rewarded, through avenues such as bug bounty programmes. What is perhaps more challenging is the testing for the interconnectivity between production systems, particularly within environments that demand constant uptime.
Q: What kind of systems and controls should companies have in place to mitigate insider threats?
RS: The routine monitoring of anomalies is imperative. Organisations must ask themselves: ‘Are there any behaviours that are outside the normal practice?’ This is critical and needs to also apply to attempts to access assets that the insider is not authorised to access.
Q: Do you believe there are currently suitable controls in place to detect and respond to breaches?
RS: Within Operational Technology (OT) environments, the use of technologies that are unlikely to result in a potential outage are key. Consider looking at data diodes for example; they are critical for maintaining segregation between different network segments. Also technologies that are certified for use by automation vendors, so White Listing technology also.
All of this demands understanding the production environment particularly well, so as to authorise (White List) only known events, therefore governance is critical.
Q: How should the personal data of customers be protected?
RS: With reasonable measures! I realise that this is a legal term, but it is critical. Any organisation has to challenge itself as to whether the measures it has implemented meets this very subjective terminology.