The Energy and Utilities sector needs a cyber security revamp

• 4 years ago (2020-01-02)
• Junior Isles

Cyber security 8

---

By Rich Turner, SVP EMEA at CyberArk

The introduction of IoT sensors, smart meters, and integrated cloud services has shaken up the energy and utilities sector. With numerous notable suppliers going under in the last year, a ‘survival of the fittest’ landscape has emerged. In fact, in the last 4 years alone, 13 suppliers closed their doors , demonstrating the struggles that retail energy suppliers have faced in a competitive market. Many established suppliers are responding by investing in modern, agile operational approaches, and swiftly incorporating digital technologies into power grids and throughout their supply chains.

This requires a proactive and up-to-date mindset when it comes to cyber security. Many cyber criminals are seeking to exploit vulnerabilities in these innovations because the energy and utilities sector forms an integral part of critical national infrastructure, and therefore represents an attractive target. Threats include organised criminal groups seeking financial gain, nation states looking to cause harm or disruption, and even amateur hackers looking to test out their skills, all of whom launch frequent offensives on the sector.

Despite this hostile environment, it is shocking that 45% of organisations within the energy sector believe they cannot prevent attackers from breaking into their internal networks every time they try, according to our recent threat landscape study. Many still rely on outdated and ineffective “air gapping” security techniques to secure their networks. Industrial Control Systems (ICS), for example, are often isolated from power grids and other networks to protect them from cyber-attacks. However research by expert Mordechai Guri , the director of the Cybersecurity Research Center at Israel's Ben Gurion University, proved that these techniques are easily bypassed. It showed that information can be leaked through an air-gap using LEDs, acoustics, and even magnetic waves – leaving no doubt that hacking air-gapped systems is well within the skillset of advanced cyber criminals.

Given the vital importance of power grids and utility infrastructure to a community, it is imperative that operational systems within this sector can withstand a cyber incident whilst maintaining the function of procedures. Real-time operations are critical, and any downtime must be avoided at all costs. Hackers looking to cause large-scale disruption often concentrate their efforts on bringing down the power grid and linked operating systems by interrupting the high reliability and availability of utilities’ infrastructure. This is, in part, facilitated by gaining access to privileged accounts with access to – and control over – sensitive data or critical systems. When used, these accounts permit entry to assets such as operator workstations that run automated processes, maintenance systems, allowing hackers to modify process parameters and archive data, and other important operations.

Irreparable damage is caused when these accounts are used maliciously to gain unauthorised access to IT systems. Just recently, Russian military officials were indicted by the U.S. Department of Justice after an alleged attempt to heist the privileged access credentials of Westinghouse Electric employees involved in nuclear reactor development. If it had been successful, this attack would have had disastrous consequences, including the leaking of sensitive data pertaining to national security to one of the US’s fiercest opponents.

Our research shows that an overwhelming 82% of energy/utilities organisations believe they won’t be fully protected until the privileged accounts that provide a gateway to their control systems are secure. Companies must proactively secure, control, and monitor their usage to minimise the risk of any damage to critical infrastructure.

Energy and utilities organisations seeking to proactively reduce the risk attackers pose to privileged access accounts must first pinpoint the potential vulnerabilities and likely points of attack in their existing approach. That means identifying the information, credentials and secrets that can be located and accessed by their privileged accounts and calculating how they might be exposed. Once this has been done these weaknesses and vulnerabilities can be repaired and maintained, with security and management controls put in place to prevent the escalation and abuse of privilege. This shouldn’t be considered a one-time project however – organisations must continuously reassess and improve their privileged access ‘best practice’ to address the evolving threat landscape.

The energy and utilities sector occupies a unique position within our national infrastructure. The publicly and privately held organisations within the industry therefore face a particularly unique challenge with regards to cybersecurity, as successful attacks have the potential to cause irrevocable damage. Government and private companies sought to overcome this hurdle with an increased security budget, but these funds mean little when security projects continue to miss the mark. In order to realign and reorganise their security policies efficiently, companies involved in the energy sector must make use of privileged access management to secure accounts with access to confidential information. By doing so, the risk of energy networks having to halt operations in the result of an attack will be mitigated and the sector’s anxiety over the threats posed to energy infrastructure will be put at ease.