It’s difficult to imagine a day in which the products and services we use are not connected back to the energy sector. How we heat or cool our homes to how we remotely work are all dependent on the energy sector. In most industrialized economies, the energy sector is considered the most critical part of society.
From the food and agriculture sector to the financial services sector, the energy sector connects all critical infrastructure sectors. The US economy cannot function without this sector. An energy cyber breach could have widespread effects of regional power loss, incapacitated communication networks, and disabled emergency services leaving regions vulnerable and inaccessible to necessary resources and aid during times of crisis.
The energy sector is comprised of electricity, oil, and natural gas generation and distribution. The transportation sector is especially vulnerable to the energy sector’s lapses in security as this sector heavily relies on pipeline distribution to transport oil and natural gas. Energy providers are highly targeted by cyber threats because of their inherent value and profitability. Providers will pay almost any ransom to restore their functioning.
According to Hornet Security, energy was the top target for cyberattacks in 2019. The sector accounted for 16% of attacks worldwide. Typical threats in the energy sector include ransomware, data theft, internal bad actors, and billing fraud. In May 2019, Baltimore city servers and computers were breached for weeks by a ransomware variant called RobbinHood. The attack ended up costing the city $18.2 million, including the $6 million that was paid for the ransom. The rest accounted for lost revenue and costs to restore the computer system.
The energy sector is divided into two parts: the physical infrastructure and the virtual systems. The physical infrastructure includes generators, power plants, transmitters, substations, and IoT devices that generate, transmit, and distribute power.
Historically, these systems have been plagued with weak physical security and outdated legacy systems that give hackers an easy access point to the rest of the supply chain. One can imagine the domino effect of hacking a power plant or electricity substation leading to widespread power loss, impeded water and wastewater systems, and delayed distribution of natural gas or oil.
Earlier this year, a ransomware attack on operational technology (OT) systems managing Colonial Pipeline caused widespread gasoline shortages from May 7 to May 12. Affecting most of the Southeast and even parts of New Jersey, airline operators and gas stations were scrambling for fuel as extortionists demanded a 75 bitcoin ransom - almost $5 million for files stolen from the company’s shared internal drive.
From C-suite executives to OT employees and the everyday consumer - an energy cyber attack affects everyone. Thankfully, energy companies and regulatory bodies have realized the value they are entrusted with. Security compliance measures like the North American Reliability Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards and the Electricity Information Sharing and Analysis Center (E-ISAC) have been some of the many regulations that are transforming the cybersecurity stance in the energy sector as the digital landscape and lurking threats continue to shift. NERC-CIP is comprised of 40 rules and 100 sub-requirements that cover personnel training, incident response and reporting, security management controls, and more.
How Does Energy Fare Abroad?
The UK, Japan, and Australia are some nations that have suffered huge losses due to cyber breaches. Energy is a growing international issue with political interests backing the attacks. One growing threat is the industrial control system (ICS) asset attack which has been reported to be coordinated by nation-states or organized crime.
ICS attacks are especially dangerous as they cause both cyber and physical damage. The 2017 Trisis/Triton attack on the safety systems at a Saudi Arabian petrochemical plant was meant to shut down the plant, steal data, and trigger an explosion. Since international energy systems mirror the same supply chain vulnerabilities and a high number of interdependencies, it is worthwhile to learn more about different approaches to prevent such dangerous attacks.
Since the Triton attack, NIST and the National Cybersecurity Center of Excellence (NCCoE), have developed NIST SP 1800-23, Energy Sector Asset Management. This special publication will provide methods for monitoring and safeguarding ICS assets and threats to OT infrastructure.
There is value in understanding how competitors and different governing bodies manage this sector. Energy companies are complexly organized as they depend on many different equipment manufacturers, sector partners, and third-party virtual systems to function. If companies receive equipment from global partners and risk is identified in the equipment, cybercriminals can exploit these gaps on a global scale. Regulatory bodies need to collaborate with each other on manufacturing and security guidelines.
An information-sharing network like the E-ISAC gives vetted energy companies in the US, Canada, and parts of Mexico the ability to convey emerging threat information, security standards, best practices, and foster better communication between businesses and their government. Particularly in the US, all registered NERC utilities must comply with Reliability Standard CIP-008-06 and report to the E-ISAC. Network members can receive physical security and cybersecurity bulletins, real-time IT updates, best practices, and situational awareness of threats.
Weak Points in the Sector
The energy sector is neither entirely ahead nor entirely behind in cybersecurity resiliency. It has done better than other sectors in mandating cybersecurity regulations as far back as 2007 with NERC-CIP and National Institute of Standards and Technology (NIST) standards for federal networks. CIP standards have continually adjusted to meet the transforming digital landscape and innovative threat environment but both regulatory standards only account for bulk power system operators.
There are inconsistencies and gaps between NERC-CIP and NIST standards. NERC is only in charge of bulk power systems leaving smaller entities remain unprotected and unregulated.
The physical infrastructure of the energy sector has been a large vulnerability to contend with. The physical systems are expansively set. On average, the top 25 US power companies have 121 plants across 94,000 miles of distance with numerous transmitters and substations in between. Companies are struggling to find a balance of necessary visibility to monitor the network and communicate across these long distances while also maintaining enough privacy to protect sensitive data and the supply chain.
With weak physical security for OT systems, malicious actors can cause widespread disruption to the supply chain and virtual systems by accessing grid control systems or the outdated legacy system in place. Legacy systems are marred with inefficiencies and weaknesses but OT teams continue to use them. They slow down incident containment and recovery rates as energy sector companies rely on legacy vendors for solutions. Security gaps and vulnerabilities can only be addressed based on the availability of the vendor instead of the urgency of the energy company.
Overall program upgrades for OT systems and physical infrastructure can cost companies over $100 million. For green companies, the cost can be too great to bear. Wind turbine farms have expansive physical infrastructure, but weak physical security. With low return on energy generation, safeguarding measures can be too great of a cost even if the long-term benefits are worth it.
There is no immediate business advantage to these upgrades and it’s a point that security leaders are struggling to justify to regulating bodies and shareholders. But, for how long will IT and security teams manage outdated OT technology? Especially when IT teams are already understaffed and under-resourced. Combining legacy systems with unhealthy cyber practices in the executive and OT network can lead to a very overwhelmed workforce that cannot prevent and respond to threats when they need to.
OT employees and executives continue to operate without risk awareness and training on modern threats. This is why phishing emails continue to be the top form of attack. In 2017, out of the 226 cyber bulletins posted by the E-ISAC, 30% of them pertained to phishing. Without malware awareness, employees click on suspicious links, transfer company data via USB, and share personal information to unauthorized networks.
The energy sector’s vast supply chain continues to be its biggest weakness. With grid modernization and digitalization, security access points increase as “smart grids” require greater endpoint device usage and network routes. Digitization also necessitates newer and complex software and hardware that is sourced from third-party vendors that can come with intentional or unintentional compromises. As smarter systems continue to utilize and rely on different services, vendors, and sectors, the supply chain expands and invites greater risk to the entire system.
Collaboration is Key
Electricity companies and regulating bodies need to step up. The sector’s important functionality and global supply chain are too valuable to be riddled with this many security vulnerabilities. All critical sectors will be impacted if the electricity sector is compromised.
The cost of an energy cyber breach not only includes financial loss but also incurs reputation damage, consumer loss, and risks the safety of its employees. Considering the long-term benefits, reinvesting in physical security and updating legacy systems are well worth the expense. Typically cybersecurity is thought of as solely an IT issue and this is a great oversight. Energy enterprises need to instill risk awareness and protective measures throughout their company as each access point could be an entryway for a cybercriminal.
Risk management should be a concern for the entire organization. If risk awareness is embedded throughout the company, there is greater overall resiliency against threats and a stronger cyber posture. By implementing an integrated risk management (IRM) program, energy companies can mature their security strategy from end to end of their supply chain and between their IT and OT networks. A risk-first approach streamlines the companies ability to identify, control and monitor emerging threats.
Legacy GRC solutions do not provide companies with the ability to holistically view the organization’s cyber resilience or provide real-time insights. The GRC’s siloed approach is no longer applicable as IT and OT networks converge. By taking a modular approach, necessary communication is cut off. IT networks need visibility into the rest of the company to improve OT asset management practices. IRM platforms can give enterprises the tools to foster a risk-aware environment.
Between state, local, and federal compliance standards energy companies are under constant pressure to maintain security compliance. By leveraging a third-party tool like CyberStrong, businesses will have the advantage of automatically assessing their compliance status. As the digital landscape and smart grid continue to evolve, companies need a risk management platform that can securely manage modern risk profiles instead of playing catch up with legacy OT and GRC systems.
Beyond individual company efforts, the Department of Energy is responsible for addressing and regulating smaller entities in the energy ecosystem. Regulating bulk power systems is not enough. By introducing security guidelines and standards for other sector members, the overall stability of the energy sector will improve.
The virtual and physical components of energy systems can be enhanced with cyber resiliency and the investment is worth the cost. Although cyber threats will never be fully mitigated - reinforced prevention, detection, and asset management solutions will ensure a stronger response and recovery for this critical infrastructure sector. Legacy systems and GRC management continue to cost businesses time and money. Considering the energy sector’s pivotal role in other critical sectors and its vulnerable supply chain, energy enterprises have a collective responsibility to strengthen and continually mature their security strategy. A holistic approach with risk awareness and IT/OT collaboration embedded through every stage will proactively address security compliance and the physical and network security gaps that may arise.