The energy and utilities sector is one of the vital infrastructure sectors where a shutdown would have adverse effects on national security, public health and safety. For that reason, Industrial Control Systems (ICS) and other critical energy production operations must be protected from cyberattacks.
The US energy sector is among the three industries highly susceptible to cyberattacks by cybercriminals and nation-state actors, with the sector accounting for 20% of annual cyber breach incidents in a recent study.
Energy Sector Vulnerabilities Explained
Systems Modernization: Energy infrastructure such as extraction and refining facilities, pipelines, power plants, and electrical grids are becoming smarter due to increasing usage of information, communication and automation technologies. As a result, the systems are becoming more complex while the number of access points rapidly increases. A recent Department of Energy (DOE) report noted that ICS-related smart equipment creates a threat to utility systems. For example, devices that function or communicate with utility control systems pose threats to the entire electric grid. Automation components such as programmable logic controllers that function through microprocessors manage network paths. As these devices provide access to control systems, they continue to be a target of cyberattacks. Public tools such as SHODAN, a search engine that identifies internet-connected devices makes these devices discoverable, allowing hackers to remotely probe a utility’s supervisory control and data acquisition system for weaknesses to exploit.
Supply Chains and Third Parties: the long and complex supply chains in the energy market add vulnerabilities for compromised components along the network. For instance, “backdoors” that provide access to devices or software could be created either intentionally by a nation-state actor or otherwise by a mistake of the OEM. Vulnerabilities could also be introduced through software updates or firmware that can be exploited to include malicious codes. Hardware can also be installed in operating systems compromised by adversaries. According to the Department of Energy (DOE), several prominent vendors fail to acknowledge and address the vulnerabilities in their software. Furthermore, the large workforce working remotely and decentralized facilities are giving cybercriminals numerous avenues to gain access to sensitive data.
The long and complex supply chains in the energy market add vulnerabilities for compromised components along the network
Critical Data the Energy Sector is Obligated to Protect
These are the critical data that cybercriminals are attempting to acquire as they conduct cyberattacks against Energy Companies:
Data Related to Cyber-Physical Systems
According to a report published by the National Science Foundation (NSF), the U.S. energy sector cyber-physical systems are "engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components to generate, move, and distribute electricity efficiently." An industrial control system (ICS) is one example of a cyber-physical system that the U.S. energy industry depends on. ICSs allow equipment to be physically operated with digital controls.
Cyber-physical systems replace systems that were once operated manually, which has made these systems increasingly important as well as vulnerable to cyber attacks. Additionally, because of the way industrial control systems integrate with information and operational technologies, these networks "can become less secure over time," the report states. Protecting such systems requires updating security posture regularly as the complexity of the attacks is also constantly improving.
When hackers infiltrate cyber-physical systems, they can deposit viruses and malware that can disrupt the operations of these highly critical systems, leading to substantial consequences.
Data That May Help Facilitate Future Attacks
Unlike hackers who target other industries, whose primary purpose is data theft and short term monetization; attackers who target energy companies are primarily focused on reconnaissance for future operations. In this case the attackers are checking to see what systems they can breach, the type of information they could access, and where the vulnerabilities are located. They can then store away the knowledge for an attack at a later date.
Attackers who target energy companies are primarily focused on reconnaissance for future operations
According to the consulting firm Ankura, during the reconnaissance stage, attackers aim to compile as much information as they can about their target. The types of information include personnel lists, information about the network structure, and identifying system vulnerabilities that can potentially be exploited.
Ankura notes that attackers use this information to help them decide on the best method of compromising their target. A logical assumption can be made that protecting this type of data is important when it comes to warding off and defending against future attacks by state actors or by ideological groups.
Consumer Payment Information
Retail energy companies hold a significant amount of personal customer data including payment information. This type of data is often stored in multiple locations such as CRM systems, operational systems, and big data environments.
A breach of customer payment information can potentially enable cybercriminals to gain access to a customer's bank account or other personal accounts. Such a breach can be very costly for a company to rectify as well as damaging to their reputation. For example, in 2013 Central Hudson Gas & Electric experienced a data breach that may have allowed attackers to access customers' auto-pay bank account data. The breach affected about 110,000 customers and subsequently required the company to provide each of them a "full year of complimentary credit monitoring."
Data Breach: Duke Energy Corporation
In March 2018, a cyberattack against Duke Energy Corp affected the operations of at least four natural gas pipeline companies with digital connections to Energy Services Group (ESG).
The cyberattack forced the companies to cut off digital connections to ESG, which impacted billing, scheduling, and sharing of documents by oil companies, electric utilities and gas pipeline operators. Duke Energy is reported to have agreed to pay $10 million in fines for lapses in and outright violation of security standards, dating back to 2015.
Regulating the Energy Sector and Maintaining Compliance
To ensure companies in the energy sector are maintaining best practices regarding cybersecurity, several standards and regulations have been developed:
Despite threat of enforcement for violating these cybersecurity standards, some of the largest companies in the U.S. energy and utility sector, including Duke Energy, PG&E, and DTE Energy, have repeatedly violated them. These companies have recently been sanctioned by NERC for non-compliance to the CIP standards.
Protecting A Critical Part of the Modern Economy
Providing energy to the nation’s homes, businesses and infrastructure is crucial to maintain economic stability and growth. As energy systems are increasingly interconnected and complex, proper cybersecurity practices are becoming progressively more important.
Not only do those managing systems in the energy sector need to be aware of the changing threat environment, they need to ensure their internal operations are ready to respond in the face of a cyberattack. As we have seen, the sector is a constant target; it is important to be prepared and able to handle attacks on critical systems without disruption in service. That is the purpose behind the development of CyLogic’s flagship offering: CyCloud - The Secure Enterprise Cloud. We deliver a higher level of security than any public cloud provider. Our team would be happy to discuss how to mitigate the complex challenges the energy sector faces.
FedRAMP - The Gold Standard of Cloud Security
The last few years have seen a series of high-profile breaches against large institutions, particularly in the banking industry. Many firms have been accused of being stuck in a “90’s” cybersecurity mentality believing that on premise networks, strong firewalls, and anti-virus software were sufficient to ward off most cyber-attacks.
Security has always been about identifying who or what can be trusted accessing data, and what they can do with that access
READ more >
You Are Always In Control With CyCloud
The Economist wrote that “The world’s most valuable resource is no longer oil, but data.” You’re doing a lot to protect your data, but what about keeping control of your data? Having transparency about where your data is located and who has access to it are key components of controlling your data.
READ more >
Leverage The Benefits Of Edge Computing With CyCloud
In the past decade, services and systems have been moving to the public cloud: a centralized infrastructure that provides rapid scalability and ease of use. However, public cloud centralization comes with various costs including the requirement that data travels great distances for every action. Latency problems mean low performance as well as higher costs as public cloud providers charge for every data movement.
READ more >