There haven’t been any recent reports of a major cyber attack to the energy sector, but industry sources indicate that they are continuing to happen as the frequency of attacks has been increasing and the number of threat actors have been growing and their capabilities expanding. Indeed, in the United States, energy, as a critical infrastructure with the potential for widespread disruption if not damage, is one of the top three sectors targeted by cyberattacks and it has been a prime target elsewhere including in Europe and Australia.
In a recent report Deloitte points out that internal threats due to human error, disgruntled employees or contractors have typically been one of the most common threats. However, nation states and organised crime have become more active and could even be intersecting, with the former contracting with the latter, possibly to ensure deniability. The problem is further compounded as hackers with little institutional or technical knowledge can increasingly access sophisticated tools on the dark web.
ICS and third parties
Another, and arguably the most concerning trend within the energy sector – which Engerati has previously highlighted and forms the focus of Deloitte’s report – has been the growing targetting of industrial control systems (ICSs) with access attempted via third party legacy devices.
One reported example is the Triton malware attack on a Saudi petrochemical plant in December 2017, which had it not been foiled by a bug in the computer code, could have led to an explosion and injuries and deaths. In that case the virus was found to have been introduced remotely through a brand of controllers commonly used in industrial plants globally.
The panorama is being further exacerbated by the convergence of IT and OT, which has broadened the attack surface to encompass the physical world. Further, grid modernisation and digitalisation, with the advance of the smart grid and internet of things, are growing that attack surface as the numbers of connected devices increase. With this, power companies need to consider the cyber supply chain risk, Deloitte advocates. Power companies purchase information, hardware, software, services and more from third parties across the globe. Threat actors can introduce compromised components into a system or network, unintentionally or by design, at any point in the system’s life cycle. Possibilities are software updates which are downloaded frequently, or firmware that can be manipulated to include malicious codes for exploitation at a later date. The hardware that utilities install in their operating systems could also be compromised.
Reducing cyber risk
The supply chain can be complex and challenging for power companies and Deloitte advocates that the approach to cybersecurity should cover the “extended enterprise”, i.e. across the enterprise and up the supply chain.
Starting within the enterprise, the first step to consider is to identify and map assets and their connections and to prioritise them by criticality, Deloitte states. The next is to determine if critical assets and networks have well-known and exploitable vulnerabilities. The third step is assessing the maturity of the controls environment for proactively managing threats. The final step would be to build a framework to protect critical assets that uses people, processes and technology to become secure, vigilant and resilient.
Turning to the supply chain, Deloitte suggests considering starting by engaging the supply chain procurement function. Procurement language should be addressed and reliable supplier assessments and cyber risk intelligence obtained, with a focus on the larger vendors first. Risks that can bypass controls, such as supply chain firmware updates, should be understood. Business analyses and planning for resilience in case an attack succeeds should be performed.
When it comes to evaluating potential suppliers, a key goal should be to understand the supplier’s maturity and security processes for connected products and services. Suggested practices include establishing criteria to determine product prioritisation, creating information to be collected in advance of procurement, using procurement and sales to open dialogue with service providers and ensuring that the right people are engaged and have ownership of the process.
Other actions indicated for the supply chain include engaging with industry peers and government agencies, for example in helping to develop standards and certification programmes and in exchanging threat intelligence, innovating and deploying new technologies to manage cyber risk and using analytics and visualisation to audit the company’s real-time cyber risk profile.
“The advancement of electrical infrastructure presents an interesting obstacle for cybersecurity as grids become modernised and digitised,” comments Paul Zonneveld, Deloitte Global Energy & Resources Risk Advisory leader. “Technological innovation and analytics should drive every electric power company’s cybersecurity strategy. New tools are increasingly available, and the capability to monitor networks in real time, discover threats and address them is advancing rapidly, providing needed protection for the industry at large.”