The energy sector has undergone immense digitalisation in recent years as organisations have adopted digital tools to help achieve their transition towards net zero. But this has also introduced new risks and threats which need to be addressed to stay ahead of sophisticated attackers. Phil Tonkin, Senior Director of Strategy at Dragos, talks us through the typical threats facing organisations in this sector and highlights why a proactive approach to defence should be encouraged.
How has the digitalisation of the energy sector impacted cyber-risk?
The energy sector has digitised significantly over the last few years as a fundamental part of the transition towards a net zero energy market. So much inter-connectivity and data is required to facilitate that transition, resulting in a much greater level of exposure for organisations.
The challenge is that every time a new connection is introduced – and considering the speed at which that is done, while also maintaining connectivity at a lower price point – it’s possible to introduce new risks into those spaces.
It’s a rapidly evolving environment which requires a great deal of consideration to balance the needs of moving towards net zero and managing the risks that come from connectivity through cyberthreats.
What are the typical threats facing organisations in the energy sector?
There are traditional threats that come from state adversaries who are looking to disrupt the supply and continuity of energy within other nations but we’re also seeing a real trend towards criminal groups trying to exploit that criticality as well.
We’ve seen groups use sophisticated techniques and targeted activity to try to gain access into environments and hold them to ransom, because these organisations understand that in the energy sector, continued operations are critical. Victims may feel obligated to stop all systems as fast as possible and even pay a ransom.
Ransomware has been intensifying but there are new and additional threat events in an environment that is becoming increasingly digitised. These range from attempts to steal customers data from those organisations, all the way through to adversaries who may try to switch off the power supply.
What are the aims of threat actors targeting organisations in this sector?
The aims of different actors are variable. It is a complex and expensive thing to plan and initiate a targeted attack against an energy organisation. Often the aim is to somehow extort some sort of financial benefit from organisations.
It could be the payment of a ransom, or that they’ve been paid by a different group to gain access into those environments. In a few cases, they’re looking for the kudos of having accessed those spaces. Some may just be trying to cause disruption out of protest. There are other reasons why somebody may want to get into these environments but in the majority of cases, it is criminal groups trying to get access into the environment in order to gain some sort of financial benefit.
What are the bigger implications on the organisation as a result of a successful attack?
The ramifications for energy companies as a result of an attack are far-reaching. The first consideration of most energy companies is providing their commodity to customers. Whether that’s gas and oil or electricity, these commodities are vital to society. The number one concern of most organisations is making sure that that supply of energy reaches the customers that need it because of its importance in civilisation.
Other considerations are around how those businesses operate. Quite often, there are financial considerations, whether it’s an immediate financial impact through the loss of supply, the inability to bill for the energy that is supplied or the impact it makes on the reputation of the company, which has a knock-on to its value. These are very widespread consequences that come from these events and it can often be very difficult for an organisation to measure the impact.
What are the tools and technologies that organisations need to protect against these threats?
For many energy companies, the best form of defence is a secure perimeter – having really good visibility and an understanding of how actors may try to get into their environment. Actors that target energy organisations are persistent and will use multiple techniques and tactics to get through those environments to ultimately achieve their aims, so it’s very important to have visibility of those networks to understand the assets you have, how they’re connected and how they can be exploited.
Once you have visibility of your network, you can then start to understand the vulnerabilities those assets may have and which ones are important to you. You can identify the assets that have the greatest consequence and put in place the right actions to manage risks within those spaces.
One of the increasing capabilities that most organisations need, particularly in the post COVID world, is remote access. It’s almost impossible for any business to operate without some sort of remote access, even for the most critical organisations.
Having secure tooling that ensures only specific people can access certain environments, and the actions that those people take in that space are appropriately actioned and monitored, is very important, along with multi-factor authentication.
Businesses also require an incident response plan should the worst happen. Understanding who makes the decisions within the business and how you choose to react ahead of time can really help during an incident to ensure it is properly managed.
You don’t want to be making decisions during an event – you want to be doing that in advance. Having in place good incident response plans and the right partners to help you is a proactive measure that all organisations should take.
How can organisations take a proactive approach to defence and how does that weigh up against reactive measures?
One of the best things you can do proactively is to build an inventory of your systems, both in terms of what you physically have and need to protect, and how they support the operations of your business. This helps identify the ‘crown jewels’ – of your estate.
You need to know what you can’t afford to lose and once you understand the most important processes and procedures, you can start to look at what technology supports those. From there, how are those things connected to the wider estate and how might a threat manifest within that space? By looking at those things in advance, you can take the most appropriate preventative actions.
It can be tempting to look at the tools you use and try to implement them everywhere but it’s very difficult to manage every single risk down to zero.
By focusing proactively on the most important areas of business and deploying capabilities in those places first, you can have the maximum impact on mitigating the overall risk.
What advice would you offer organisations in this sector looking to take steps to improve their security posture?
The key areas to focus on will very much depend on the environment you have. The first thing for any energy company to do is to get an understanding of the environment in which they operate and layer on top of that the known threats to those environments.
It’s very easy to hypothesise about new emerging threats and new capabilities that actors might have but it’s most realistic to focus on the events that have occurred in the past and the capabilities of the actors that carry out those attacks.
By focusing on these past incidents, you can make sure the majority of threats will be addressed. It’s impossible to have zero risk but a reasonable approach is always to identify the most likely threats that may occur.
I use the analogy of a supermarket – nobody would shop in them if the doors were locked. You have to allow your customers to come and go freely into an environment, but you also have to put in place reasonable controls – you can’t prevent people from stealing, but you can put in place an appropriate level of control and an appropriate balance of risks.
It’s very important that within any organisation, you never leave yourself exposed to an obvious risk. By focusing on those known prevalent threats, which come from good threat intelligence and a good understanding of your own environment, you can put in place the right priority actions.