How can the energy sector bolster its resilience to ransomware attacks?

Since it plays a vital role in every functioning society, the energy sector has always been a prime target for state-backed cybercriminals. The cyber threats targeting this industry have grown significantly in recent years, as geopolitical tensions have fueled an increase in state-sponsored cyber espionage. According to one report on OT/ICS cyber security incidents, the energy sector recorded 39% of all attacks, with nearly 60% of these attacks attributed to state-affiliated groups.

As well as the threat of politically motivated attacks aimed at gaining a strategic advantage, threat actors are also attracted to the potential financial gains from accessing vast stores of sensitive Information. Attackers have also seized the opportunity to cause significant operational disruption as leverage in ransoms. A recent high-profile example is the ransomware attack against Schneider Electric, in which the Cactus ransomware gang claimed to have stolen 1.5 TB of data after breaching their systems.

As cyberattacks and ransomware rates continue to increase, there is a real concern among energy providers about the operational resilience of the industry, especially since the risks are compounded by the growing economic challenges and shifting regulatory demands.

So how can the sector navigate these challenges successfully?

Understanding the risk factors

The energy sector’s risks are partly driven by its reliance on outdated and legacy technologies. Many of the technologies and systems used by the industry have long life ratios, so over time they become more vulnerable and difficult to patch. Moreover, energy providers still rely on ageing OT assets like industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs).

At the same time, the deployment of Internet of Things (IoT) devices, including smart sensors within energy grids and automated systems in distribution facilities, has introduced an additional layer of complexity to security. These IoT devices are not typically designed to integrate seamlessly with conventional security protocols and often come with insufficient security protections, such as insecure interfaces or weak encryption, making them more susceptible to cyberattacks that can potentially compromise the edge network they connect to.

While pursuing digitalization, organizations have been stacking up modern technologies on top of old systems, extending the attack surface and creating a complex patchwork that is difficult to secure. This leaves critical systems vulnerable, and devices open to exploitation, serving as gateways to larger network infrastructures.

There is also a significant asymmetry between attackers and defenders in this sector that leaves organizations at a disadvantage. Attackers need to find only one vulnerability to exploit, while defenders must secure the entire infrastructure against all threats. Moreover, cybercriminals and state-sponsored actors often have access to sophisticated tools and techniques, along with the patience and resources to conduct long-term, stealthy campaigns to infiltrate and compromise critical systems.

The critical threat of ransomware

In 2023, we saw an increase in ransomware attacks against the energy industry including nuclear, oil, and gas facilities. And although cyberattacks typically don’t directly target the OT environment, most attacks target the IT environment that measures OT operations or billing operations which can indirectly cause severe disruptions and outages.

Most concerningly, attack tactics have been continuously shifting, making it harder for energy companies to implement a standardized security strategy against ransomware. Our recent State of Ransomware report shows that attackers have been moving away from traditional tactics such as phishing campaigns. Instead, they are now favoring more targeted attacks on cloud services and applications such as APIs.

Cyber criminals now employ tactics like ‘living off the land’ (LotL), i.e., using legitimate administrative tools already present in the environment to conduct malicious activities. This makes them even more challenging to detect, further complicating the cybersecurity landscape and demanding a more nuanced response from organizations.

Reducing the risk factors

Nipping vulnerabilities in the bud before they can be exploited is the best way to successfully address these critical risks. For energy companies, this means undertaking systematic vulnerability assessments and penetration testing, with a specific focus on applications that interface between IT and OT systems. It also requires adopting a comprehensive security strategy that includes routine security monitoring, patch management and network segmentation, and implementing rigorous incident reporting and response.

Once the fundamentals are in place, energy providers should explore more advanced technologies and automation opportunities that can help reduce the time between detection and response, such as AI-powered tools that can actively monitor the network in real-time to detect anomalies and predict potential threat patterns. At the same time, organizations must ensure sufficient human supervision over automated and AI-driven systems is in place.

Managing access to both data and infrastructure is another crucial element any organization, not just energy providers, should be looking at to improve their security posture. Whether originating from a nation-state actor, or an opportunistic criminal gang, most attacks will seek to exploit identity processes to access critical systems – our research found that 36% of organizations consider privileged access to be the most vulnerable vector for ransomware attacks.

To mitigate this risk, organization should implement a combination of identity access management (IAM) and privilege access management (PAM) solutions. IAM ensures that only authorized users can access the organization’s resources, while PAM solutions ensures that human or machine identities can only access data and systems required to perform a task and only for the time needed to complete it. With PAM, companies can also add extra layers of security, including multifactor authentication and session monitoring.

In addition to technological defenses, organizations should also focus on the human element as phishing and social engineering attacks keep targeting employees and third-party contractors and continue to be effective methods for initial intrusion. Training programs that enhance employee awareness of these and other tactics are essential, while regularly updated sessions can help staff identify and respond to potential threats thereby reducing the likelihood of a successful attack.

These steps can help providers in the energy sector build a more resilient infrastructure capable of withstanding the evolving threat of sophisticated cyberattacks. They are also key to safeguarding the overall sector integrity, ensuring the continuous delivery of essential services.