Energy impacts everyone in the world. Without uninterrupted access to power, today’s economy and society would come to almost a complete halt. Yet, the current energy industry in the United States, by and large, relies on a fragmented network that is still vulnerable to attacks and disruptions, both from nature and by man.
Last year’s Colonial Pipeline cyberattack is a prime example. Russian hackers effectively infiltrated the company’s oil pipeline system through a single compromised password and username found on an unsecured virtual private network (VPN). The company paid the hackers over $4.4 million to restore their system, but not before it caused widespread delays across the East Coast. The attack is still the most significant cyberattack impacting the oil industry on U.S. soil.
Another attack like the one on Colonial Pipeline is likely soon, and could be even larger. With this in mind, we’ll explore the current energy cybersecurity landscape and offer recommendations for improvement.
Energy Security Must Focus on Changing Consumers and Technology
For a long time, the energy industry felt that it could effectively and quickly respond to a cyberattack due to security personnel being on-site to monitor for, and respond to, an incoming attack. Also, in the past, many of these attacks were typically malware in origin and focused on the top level of a company’s IT system. But, as hackers become more sophisticated in their techniques, more attacks are now starting at the lower levels of a company’s system, passing from network to network, and taking months, not days, to slowly infect a company’s system with harmful effects. This means a company may not be immediately aware that an attack is happening until it’s too late. https://www.securitymagazine.com/articles/97984-evolving-cybersecurity-to-protect-todays-energy-network-architecture
Because of rapidly changing technology and consumer demand, the actual transfer of energy from point A to point B is also changing. The old model of huge physical facilities, including refineries and power plants, is shifting to smaller storage areas and decentralized facilities. Consumers also now want to buy, sell, and access energy more and more through technology, including on their mobile phones. Energy companies are spending more and more on technology to reduce costs and emissions. A 2017 report showed that investment in digital software in energy infrastructure increased 20 percent annually over the past four years. But, as the rapid adoption of technology grows, so does the potential threat of a cyberattack.
That growing threat is rapidly approaching. In April 2022, The Cyber Infrastructure and Security Agency or CISA, along with the FBI, and the Department of Energy, issued a joint warning about potential disruptions to the U.S. energy industry from Russian agents and hackers as a result of the Ukraine conflict. While a full-scale attack has not happened yet, many security analysts believe that Russian, or other sympathetic agents, could be probing now for soft spots and vulnerabilities, before making their move for a larger attack later this year.
Better Cyber Security Through Training, Partnership, and Technology
How can the energy industry respond to this impending threat? It will require a three-step approach of better partnership and communication from the private and public sectors, enhanced training of employees, including those not focused on IT, and better use of best practice security protocols and technology.
1. Cyber Security Training is a Must for All Employees
As a whole, the energy industry still needs to do a better job of training employees to detect and report potential cyberattacks. In a recent survey, less than a third (31%) of energy professionals said they could confidently recognize a potential threat and then take appropriate next steps for mitigation. https://pv-magazine-usa.com/2022/05/19/energy-sector-should-be-better-prepared-for-cyber-attacks-said-dnv/
The reality is that cyber security awareness, preparation, and action, can no longer be viewed as just “the IT department’s problem.” This is especially true since so many employees today work remotely and often rely on personal computers and internet networks for their daily work. Being informed and prepared also extends to how employees use their emails and even surf the internet for information related to the industry.
From 2011 to 2018, Russian agents conducted a multi-stage campaign against U.S. and international energy sector networks that gained access to several companies’ infrastructure control systems (ICS) and collected enterprise data.
This was done rather easily through:
- Spear phishing emails that claimed to be from a trusted sender and actually convinced the user to reveal confidential information.
- Watering hole tactics, where a hacker infects a third-party website focused on news and information that professionals commonly visit, and then lures the visitor to a malicious site to infect a user’s computer and gain access to the company’s network.
- Supply chain attacks, where a hacker infiltrates a software vendor’s network that then employs malicious code on the software before it is sent to customers. https://www.energyclimatecounsel.com/2022/04/21/cisa-fbi-and-doe-release-joint-cybersecurity-advisory-in-light-of-increased-threats-to-energy-sectors-cybersecurity/
That’s why all employees need to have up-to-date training on how to spot these types of attacks and prevent them from creating a real impact on the company.
2. Improve Private and Public Section Partnerships
While the majority of energy companies and utilities are privately owned, the reality is both the private and public sectors must find ways to work better together to prevent the next major cyberattack.
“We truly are all in it together. Government can’t do it alone. Industry can’t do it alone,” Jen Easterly, CISA director said a recent conference focused on the electricity industry. “So it really has to be this collective cyber defense, all in the foxhole together on the frontlines.” https://dailyenergyinsider.com/infrastructure/35557-utilities-and-public-sector-partner-to-combat-cyber-threats/
One way both groups can work together better is through better information sharing on potential threats and mitigation techniques. CISA recently announced the creation of the Joint Cyber Defense Collaborative (JCDC). This new initiative allows the federal government and the private sector to better share real-time information through an evolving platform that focuses not only on communication but shifting the focus from reacting to an ongoing threat to more on planning and intercepting attacks before they happen.
As the federal government provides more tools to share information, the energy industry must also shift to not only providing that necessary information, but also doing it more frequently and more quickly. If a company is indeed attacked, there must not be the stigma attached to any admission of being compromised so long as the company alerts everyone promptly so that action can be taken.
Finally, the government must find ways to help streamline industry regulations and frameworks that can foster more open and candid communication between the public and private sectors.
This can include:
- Creating a standard roadmap of cybersecurity best practices that companies of all sizes can apply.
- Allow select regulatory agency members to “speak off the record” with private companies to get candid information from them on real-time issues, without fear of regulatory retaliation.
- Granting more private companies access to classified government information, as allowable, along with appropriate recently declassified reports on energy industry threats.
3. Make Cyber Security Technology a Priority
As energy companies focus on adding more technology to their systems, spending and implementing specific technology focused on cyber security is necessary.
With more employees working from anywhere, robust and secure network architecture should be a priority. Companies should enable a single point of control through approaches such as a secure access service edge (SASE) that can integrate security and networking solutions together. These can include options such as firewall-as-a-service and ZTNA. In addition, cloud delivery offers firms greater flexibility and a better opportunity to apply security protocols and consistent remote policies as needed.
In today’s hybrid and work-from-home environment, it’s not enough to just train employees on how to spot potential threats. Companies must also implement embedded security, that includes encryption and multi-factor authorization to all technology that the IT team can regularly update to add an additional layer of protection.
Finally, energy companies and providers must find ways to increase their budgets to keep up with the latest security technology. While companies will likely not want to pass on such costs to consumers to help pay for this, creative solutions should be found instead. This could also include federal, state, and local agencies offering tax incentives or even grants to facilitate technology improvements, especially for small companies with limited budgets.
As everyone depends on energy, the mantra of “let’s all work together” is key for this industry to prepare for and hopefully prevent the next cyberattack. This goal can be achieved through better partnerships, enhanced training, and enhanced technology.
Does your agency or organization need guidance or additional support for cybersecurity? Reach out to J5 Consulting and connect with our team of IT experts.