Dealing with cyber threats in the energy sector: Are we on the right path?

In this interview for Help Net Security, Katie Taitler, Senior Cybersecurity Strategista at Axonius, talks about cyber threats in the energy sector and what should be improved to make sure this sector is properly guarded.

We have witnessed numerous cyberattacks on the energy sector in the past few years. What could be the consequences of such attacks?

Attacks on the energy sector are often a show of power that are meant to cause large-scale disruption. During the Colonial Pipeline attack, gas stations in the south of the US ran short of supply, threatening people’s ability to use their vehicles and causing a strain on the supply chain for other gas-powered utilities. The same goes for oil, gas, renewables, and other sources of energy; our daily lives depend on energy services. Without them, our way of life along with our wellbeing are threatened.

What are the reasons the energy sector is so unprepared for these growing cyber threats?

It could be said that the energy sector has more challenges than other sectors. Technology in the sector was not built with digital transformation in mind and as a result, legacy equipment used in power generation and delivery plants often cannot be upgraded or patched. Energy providers must also put availability above other factors such as confidentiality or integrity (of the CIA triad).

Security and usability/availability is always a balance, but in the energy sector, the balance must lean toward serving people and businesses. Human safety is an absolute priority and systems must be set up in a way which prioritises the safety of critical infrastructure.

What is the role of security teams? What are the changes they have to make to keep up with the evolving threat landscape?

In the case of the energy sector, the security teams must first and foremost align with businesses to understand their priorities. They must then use a consultative approach to explain the risks and costs – not just the monetary costs, but the potential impacts on human lives that could result from a failure to upgrade systems and implement OT-focused security.

Security teams have to start with the fundamentals, but they must do it in a way that conforms to their needs. Commercial off-the-shelf security technology might not work well for these organizations. Experts both internally and from outside partners/vendors can help them to understand the idiosyncrasies of managing OT equipment and the specific types of threats targeting energy organizations.

What are the processes and technologies the energy sector must adopt to tackle growing threats and avoid disruptions?

It always starts with the fundamentals and knowing your baselines: what technology do you have, where is it, what state is it in, how can it be attacked, what vulnerabilities might criminals take advantage of, can they be patched, what are the priorities? It’s also necessary to create a threat model and map out the most likely attack scenarios and consequences.

Whole books are written about threat modelling for the energy sector, so it’s more than can be covered here. Suffice to say, a one-size-fits-all template approach will not work. Building a threat model correctly will help guide the plan for security processes and procedures. In addition, running tabletop exercises, attack simulations, and continuous monitoring and testing are an absolute must. These action items will help identify system weaknesses and demonstrate where security, IT, operations, and related teams should focus their efforts.

How do you see the energy sector evolving in the future, security wise?

We’re already seeing a greater focus on critical infrastructure security more generally, which is an improvement. Multiple industry organizations are stepping up to provide guidance and support, and the US government, for example, is putting frameworks, recommendations, and regulations in place. Unfortunately, however, government and governance organizations often don’t move at the speeds necessary to keep pace with the threats facing the industry. Energy organizations need to devote time and energy, and collaborate better with the private sector, to seek out research, best practices, and establish improved information sharing among organizations.

When it comes to critical infrastructure, the more threat intelligence and best practices that are shared, the better off everyone will be. Threat actors are most certainly sharing their tactics and techniques, so critical infrastructure organizations must take a page out of their playbooks. It’s about continuous monitoring, measurement, and testing. It’s about understanding baselines and building policies and controls that have a high likelihood of preventing attack and, when attackers are able to defeat defences, having the right processes and tools in place to quickly pinpoint anomalies and events, and then remediate issues before they become a full-scale incident.

The stakes are higher with energy companies, and we’ve seen a greater quantity of cyber-attacks on energy infrastructure in the past decade. Energy organizations may not have the same cybersecurity budgets as other industry sectors, but cybersecurity leaders must demonstrate the positive effects of having a hardened cybersecurity plan and program in place. It is through education and awareness that cybersecurity executives at energy sector companies will gain the buy-in and trust they need to implement the right changes to improve their systems and decrease risk.