Energy firms are facing an ever-increasing risk from cyber-attacks. According to global insurer Willis, the future cost of such attacks will reach US$ 1.87 billion by 2018. Robin Somerville, Communications Director for Willis’ Global Energy Practice, believes a major cyber-attack on the energy industry ‘is only a matter of time.’
The stark reality is that many hackers are no longer just individuals stealing passwords, or credit card data, that they can easily monetise; they are now operating as sophisticated cyber criminal organisations. The strength of the global threat was highlighted in the Cisco Annual Security Report 2014, which found every corporate network studied had malicious traffic. Essential services including utilities are now regular targets for an increasing number of cyber attacks.
Earlier this year, UK Business Secretary Vince Cable warned of Britain’s vulnerability to such cyber-attacks. Speaking at the UK’s first cyber security summit, he maintained that more needed to be done to protect the nation’s critical infrastructure from what he described as “a serious and growing threat to British businesses”. Whether motivated by political, commercial, or financial gain, cyber attackers will look to exploit weaknesses in defences, resulting in major disruption to business and industry.
A recent study by Symantec found that that there was an average of 74 targeted attacks per day globally between July 2012 and June 2013, of which nine were targeted at the energy sector. This accounted for 16.3% of attacks, placing the energy sector as the second most targeted in the last six months of 2012. Much of this was due to a major attack on an unnamed oil company in September that year, however the threat was still evident with the sector still ranked high, in fifth place, in the first half of 2013. This threat to energy companies is only set to increase as new developments in smart grids and smart metering expose more of the historically isolated infrastructure directly to the internet.
However, it is not just systems directly connected to the internet that are now the target of cyber attackers. Energy companies increasingly use internally connected Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) to gather, analyse and monitor real-time data, from power output, to pipeline flow and pressure, enabling their equipment and processes to run more safely and efficiently. Any attack on these systems has the potential to impact not only business operations, but also result in financial loss, affect thousands of customers, severely harm the company’s reputation and even put lives at risk. In March, research undertaken by SANS Institute found that the number of suspected SCADA/ICS security breaches had risen from 28% to nearly 40% over the past year.
The reality of this was highlighted in May 2014, when an advanced hacking group attacked an unnamed US public utility and compromised its control network. This was despite a warning by the US Department of Energy (DOE) stating that "actions are required by all organisations, government or commercial, to secure their SCADA networks as part of the effort to adequately protect the nation's critical infrastructure."
Although there was no evidence that operations had been affected, the US Department of Homeland Security confirmed that the company had been ‘brute force’ attacked through an internet portal, whereby hackers digitally forced their way into systems. Such attacks typically use automated programs to enter different passwords, with new combinations of characters, until they are successful.
From Stuxnet Worm to Smart Phones
Cyber-attacks on SCADA systems were considered by many to be a theoretical problem until the discovery of the Stuxnet Worm in July 2010 - widely regarded as the first known threat to specifically target ICS, it brought down almost one-fifth of Iran's nuclear centrifuges. Less than a year later, in February 2011, Night Dragon was discovered - a virus designed to steal information about oil and gas exploration, which was thought to have been active for four years previously. And in August 2012, the Shamoon cyber-attack infected around 30 000 computers at one of the largest oil companies in Saudi Arabia and, shortly after its discovery, a Qatari gas company was also hit in a similar way.
Like any other business, utilities also need to secure their corporate networks; including database servers, finance systems and IT equipment used by employees during the normal course of business, which increasingly means mobile devices, such as tablets and smart phones. These are all subject to the same sophisticated threats and mobile devices are increasingly used as attack vectors for the initial breach, creating an internal beachhead from which to launch the full attack. Today’s hackers are sophisticated, professional and innovative, making their future attack methods harder to predict. They do not discriminate and will use any means at their disposal to exploit gaps in defences to achieve their objective. It is now not a case of if you will be attacked, but when and how often.
Prepare for the worst-case scenario
To protect against the affects of advanced targeted attacks, security methods cannot just focus on detection and prevention, they must also include the ability to mitigate the impact once an attacker gets in. Organisations need to look at their security model holistically and gain continuous protection and visibility of their often complex and dynamic IT environments – from point of entry, through propagation, and post-infection remediation. Companies should prepare for the worst-case scenario, to afford themselves the best possible protection before, during and after an attack. Only by understanding the threats can energy companies put the power back in their own hands, and significantly reduce their chances of being impacted by a successful cyber-attack.
Written by Sean Newman, Security Evangelist for Sourcefire, now part of Cisco. Edited by Callum O'Reilly
Read the article online at: https://www.oilfieldtechnology.com/special-reports/16062014/cyber_security_power_back_in_your_hands_044/