Nigel Thorpe, Technical Director at SecureAge looks at the increase in cyber-attacks on energy, oil and gas companies and suggests it’s time for a new approach.
The energy and utilities sectors are very much a part of our critical national infrastructure and are vital to national security. While installations are at threat from physical attacks, and natural disasters such as floods and earthquakes, it is the increasing threat of cyber-attacks from criminal and state-sponsored terrorist groups that that have hit the recent headlines.
According to international insurer Hiscox, in its 2021 Cyber Readiness Report, the UK energy sector comes top of its Cyber Threat Ranking Table by industry and suffered the highest median losses.
Just how big these losses can be was highlighted on 7 May this year when there was a cyber-attack on Colonial Pipeline, a firm headquartered in Georgia USA that supplies about 45% of the petrol and diesel used on the east coast. The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York. Colonial paid the hackers, who were an affiliate of a Russia-linked cyber-crime group known as DarkSide, a $4.4 million ransom shortly after the hack. The hackers had stolen nearly 100 gigabytes of data and threatened to leak it if the ransom wasn’t paid.
Earlier this year, the US Cybersecurity & Infrastructure Security Agency (CISA) issued reports detailing a history of attacks against pipeline operations. At the same time, President Joe Biden signed an executive order aimed at boosting defences, having warned that attacks on CNI could lead to a ‘real shooting war’.
If you want to grasp the true potential for devastation from a cyber-attack on an energy installation, you have to go back to 2009 when Stuxnet – a highly sophisticated computer worm developed by joint US and Israeli Intelligence, was deployed against the Natanz Nuclear Facility in Iran. It targeted centrifuges used to enrich uranium, instructing them to spin out of control and eventually break. Over a few years, about 20% of Iran’s centrifuges were destroyed and caused the Iranian nuclear program to be set back by years.
Closer to home, and to underline that going green does make you immune from hackers, personal data on all 270,000 customers of Scotland-based renewable energy supplier People’s Energy were stolen at the end of 2020. New research published in May 2021 from Veritas Technologies found that more than half of the utility industry’s companies suffered a cyber-attack last year. The survey of 75 IT decision-makers also showed that nearly 64% of them suggest their organisation’s approach to dealing with cyber-attacks could be improved.
Ransomware attacks seem to be one of the biggest threats that the UK utility sector faces – so it’s all about the data. For cyber-criminals, ransomware is a low risk, high reward activity with a virtually unlimited supply of potential victims. And the arrival of Ransomware-as-a-Service (RaaS) only serves to lower the bar to entry and increase the scale and volume of attacks.
Ransomware attacks were also described as the key cyber-threat facing UK businesses and organisations, by Lindy Cameron, the head of the National Cyber Security Centre (NCSC) in the recent annual security lecture to the Royal United Services Institute (RUSI) defence and security think tank. In her speech, Lindy Cameron stressed the importance of UK businesses and critical national infrastructure continuing to build its cyber-resilience to stop attacks from reaching their targets.
But here lies the problem. Like most industries, the energy and utilities sectors have traditionally approached cybersecurity by trying to stop the cyber-criminals and hackers getting in. Yet history tells us that it is impossible to stop every cyber-criminal all of the time. The Colonial breach was the result of a single compromised password for a virtual private network account, which allowed employees to remotely access the company’s computer networks. So, if we can’t keep the cyber-criminals out nor trust the people around us, we must rethink the traditional ‘castle and moat’ methods of protection and adopt a data centric approach, where security is built into data itself.
Full disk encryption will protect structured and unstructured data when it is at rest on a hard disk or USB stick, which is great if you lose your laptop but is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data therefore, needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.
But this is no easy task. In the 2020 IBM and Ponemon report, 67% of respondents said discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. Data classification technology is often used to identify ‘important’ or ‘sensitive’ data, but the report found that 31% cited classifying which data to encrypt as difficult. Then there is the question of where you set the ‘importance bar’? Even seemingly trivial information can be useful to a cyber-criminal, since they are adept at amalgamating small pieces of data to form a bigger picture, to build a spear phishing attack for example.
So, why is it that the accepted norm is to encrypt only the ‘most important’ or ‘sensitive’ data? The problem is that traditionally, encryption has been considered complex and costly and detrimental to performance and productivity. But with advances in the technology and fast processing speeds, seamless data encryption can now be used to protect all data – structured and unstructured. This way, classification for data security purposes becomes irrelevant and stolen information remains protected and useless to cyber-criminals.
This approach also works with legacy systems, which are outdated but still do an essential job. Legacy systems were not designed to be exposed to public networks, but as staff, customers and suppliers need direct access to business processes, new online services have been built on top of this ageing technology. But when connected to the outside world, legacy system data – such as customer details, company operational data and intellectual property – becomes vulnerable as it travels from silo, through web-based applications to end users. But by protecting the data itself, these risks are mitigated.
Having seen the potential for massive disruption and damage, there is no doubt that the cyber-criminals and state-sponsored terrorist groups have the energy and utilities companies in their crosshairs. So, unless we can take a different approach to cybersecurity and data protection, we can expect more trouble ahead.