Energy assets and their operators are common targets of hacking attempts, but the pace of digital transformation across the industry is presenting new cybersecurity challenges
The ransomware attack on Colonial Pipeline in May threw the issue of cyber resilience in the energy industry once more under the spotlight. NS Energy speaks to Mike Campfield from US cybersecurity specialist ExtraHop about the current threat landscape, and why network visibility is crucial for responding to evolving risks and the ‘inevitable’ event of a cyber intrusion.
The rise of digital automation across the energy industry has improved the performance of operating assets, streamlined daily processes and reduced physical dangers encountered by workers in the field.
Countless devices, sensors and controls are now scattered across global energy infrastructure, all connected to the internet or an organisation’s private network – and as electrification accelerates throughout the industry, the reliance on these tools will increase further.
But while this technology proliferation brings numerous benefits to businesses, it also poses a growing security risk in a fast-evolving world of cyber threats and digital extortion.
“The attack surface is getting bigger every day across the energy industry,” explains Mike Campfield, vice president of global security programmes at US cybersecurity specialist ExtraHop.
He is referring to the swell of connected instruments supporting the fleets of operational technology (OT) that keep energy supplies running, but are also offering cyber criminals new entry routes into private computer systems.
“The more automation you have, the more points of exposure you have to the outside world.”
McKinsey describes how the “unique” infrastructure footprint of energy systems – vast geographic and organisational complexity, increasingly decentralised operations, and high interdependencies between physical OT infrastructure and IT systems – lends itself to being targeted by hacking attempts.
Throw in a ballooning inventory of automation tools and technologies that broaden the digital exposure of these assets, and these characteristics all serve to “heighten the risk and impact of cyber threats against utilities”.
Cybersecurity risks are growing for energy companies
A 2019 survey of the global utilities sector taken by Siemens and the Ponemon Institute found 56% of firms experienced at least one cyber-attack involving a loss of private information or an OT outage over a 12-month period.
The report states: “As utilities transform their operations into digital enterprises, the surface for cyber-attacks [has] expanded and will likely expand further into OT. The resulting risks to an organisation’s physical assets, financial liability, and reputation are high.”
Further research from Siemens, this time focused on the oil and gas sector, found a similar situation.
“As oil and gas operators deploy an increasing number of interconnected digital assets, controls, and networks across wider spans of their plants, they are also effectively expanding their overall cybersecurity risk exposure,” a company whitepaper explains.
“Complicating this further is the need for their third-party OEM partners to have network access to their machinery for remote performance monitoring and diagnostics.”
All of which is to say the threat is out there, becoming more sophisticated, and is being presented with new, interconnected channels through which to access a private computer network.
When asked in a recent interview if she believes hackers have the capability to shut down the American power grid, US energy secretary Jennifer Granholm replied simply, “Yeah, they do.”
“Even as we speak there are thousands of attacks on all aspects of the energy sector, and the private sector generally,” she added. “It’s happening all the time. We’ve all got to up our game with respect to our cyber defences.”
Real-world impact of Colonial Pipeline hack
The consequences of a security breach for a company can be wide-ranging, from a loss of sensitive corporate data, being held to ransom, or disruption to business operations – all of which happened to Colonial Pipeline last month when it was targeted with a ransomware attack by a hacking group known as DarkSide.
Reputational damage and regulatory blowback must also be considered if energy companies are deemed to have failed in their responsibility to ensure critical infrastructure is protected by strong cybersecurity measures.
When Colonial took its 5,500-mile pipeline offline after the breach, almost half the entire fuel supply to the US East Coast was disrupted, with the roughly 2.5 billion barrels of petroleum products pumped through the network each day suddenly unavailable to the 50 million customers it serves.
Fuel stations across several states ran dry, prices rose to seven-year highs, and a major federal government response was launched to try to minimise the damage caused by the outage.
But it could have been much worse. The Colonial breach – seemingly enabled by a single compromised password – was limited only to the IT network, meaning hackers did not seize control of the operational side of the business, the pipeline itself.
Even so, the “real-world” impact was such that the company’s CEO Joseph Blount was summoned before Congress to testify about the incident, and publicly answer questions about his company’s preparedness for a cyber-attack and its response to the intrusion.
“The attack forced us to make difficult decisions in real time that no company ever wants to face,” he told the Senate Homeland Security Committee. “We are deeply sorry for the impact that this attack had.
“We had cyber defences in place, but the unfortunate reality is that those defences were compromised.”
Anticipating a cybersecurity breach can save energy firms from lengthy downtime
For ExtraHop’s Campfield, the ubiquity of the cybersecurity threat facing the energy industry is well-known. “It’s inevitable that you’re going to have an issue,” he says.
“So it’s about how quickly you can minimise that issue, and make sure you’re going to recover as quickly as possible so the disruption becomes an inconvenience as opposed to a catastrophe.”
He points to Colonial Pipeline, where despite the swift payment of a $4.4m ransom that allowed the company to start restoring its computer system soon after the attack, it was several uncomfortable days before the IT network was sufficiently restored to allow a full operational restart.
“The story [with Colonial] is that it still took five days to get back online,” he says. “[It shows] even if you’ve done a lot of the things people tell you to do as a best practice, like make back-ups of your data, there still can be a long tail to when you can operate again.
“If you can head off these threats before they corrupt 50% of your IT estate, then your recovery time becomes dramatically lower. The quicker you can find these threats and remediate them, the less amount of time it takes to reinstate things.”
Looking at cyber-attacks as an inevitability to be prepared for, rather than simply a threat to be avoided, requires a “huge shift” in mindset, he explains – from a focus on prevention to one of reaction.
“I think everybody’s now realising that building firewalls isn’t going to keep the threat actors out.”
The importance of network visibility
ExtraHop recently began working with Verbund, Austria’s largest utility which supplies around 40% of the country’s electricity via hydropower generation, on exactly these types of issues.
Their focus is on network detection and response (NDR) – the capability to monitor how all the connected points of an IT and OT network are interacting with one another in real-time, and assess whether they are speaking to each other in “a normal way or an abnormal way”.
Creating visibility across the entire network is the key here, since although “attackers have become highly adept at evading detection upon entry into a network, they can’t hide from the network”.
According to industrial cybersecurity specialist Dragos, 90% of its customers across key infrastructure sectors – including electric and oil and gas – had “limited to no visibility” of their OT network environments in 2020.
“Many customers only monitored the IT to OT boundary without monitoring activity inside the industrial control system (ICS) network,” the company found. “Network analysts were blind to critical network traffic. Some collected logs, but few utilised centralised logging to correlate various segments with network traffic analysis.”
Taking steps to improve network visibility is “critical for developing a full picture” of threat assessments across industrial operations, and tops Dragos’ list of recommendations to companies seeking to improve their cyber resilience.
“Network detection and response is really important for energy companies and critical national infrastructure,” Campfield says, “because there are a lot of things you can’t get telemetry on.
“You have a lot of services and equipment that aren’t able to be logged [in the OT environment], you can’t put end-point agents on them, and there are more of these IoT devices that you just can’t instrument.”
Verbund – which previously relied on individual business departments to design, implement and manage security within their respective domains – says its experience of using the NDR tools has been “a major advantage” that has already helped it to identify “previously undiscovered anomalies” within its network.
“With the amount of different strains of ransomware and other things that can shut you down, you really do need complete coverage of all your operating estate,” Campfield adds.
“It may seem obvious, but there are a lot of reasons why – whether it’s old technology, and this is resonant in a lot of energy sectors, or it’s items that are very proprietary. You need to make sure that you’re able to have complete visibility across your entire computing estate.”
Ransomware has evolved into ‘multifacted extortion’
An increasingly common cybersecurity concern facing the energy industry is that of ransomware – finding yourself locked out of your IT network by a hacker who has encrypted your data and demands a payment in return for restoring access.
US cyber consultancy FireEye Mandiant says ransomware accounted for 25% of its incident investigations in 2020, up from 14% in 2019, in its latest threat assessment report.
Not only that, but the threat has evolved since 2019 into what Mandiant describes as “multifaceted extortion” – meaning victims are not only being held to ransom for access to their own computer systems, but sensitive or proprietary data is now also being stolen as a secondary way to exert leverage over victims.
This was the experience of Colonial Pipeline last month – and despite the official position of authorities being to withhold payments to hackers, company executives took the decision many private entities do when hit by ransomware: to pay the bounty and regain control of their computer systems.
“It was the hardest decision I’ve made in my 39 years in the energy industry,” said Blount in his testimony. “I know how critical our pipeline is to the country and I put the interests of the country first.”
Campfield sympathises with the position the CEO found himself in, although admits the issue of ransom payment remains a “thorny discussion”.
“A lot of people, whether in government or the private sector, will say do not pay the ransom, but at the same time the implication of being down – in the case of Colonial – is tremendous,” he says.
Unusually in such circumstances, and a reflection of the severity of the disruption caused to the country, US law enforcement was able to recover just over half the ransom paid by Colonial to the DarkSide hackers, and safely retrieve the data stolen during the breach.
But this won’t be the case in the majority of ransomware extortions, which have become “a multi-billion-dollar industry in 2021,” according to Campfield. “Ransomware has been around for a long time, but the pace of new ransomware that’s coming out is unprecedented.”
While bringing in security tools to better oversee and protect a company’s network is a key step, investing in a workforce capable of understanding, monitoring and responding to modern cyber threats is important too.
“The number one problem in cybersecurity is skilled cybersecurity people – there’s a deficit of almost two million technicians in the space,” he adds. “You can buy technology, but the asymmetrical battle that any company is facing is it can be outnumbered by an adversary. You can’t fight this with just computers.”
Automation and connected devices are just the latest risk factors facing the energy industry in a fast-moving cybersecurity landscape, but, as was the case for Colonial Pipeline, threats can come from more basic sources, like an unsecured password.
But whatever the method of attack, the consequences of a security breach can be significant both to a company and the customers who rely on its services, so keeping defences up to date is crucial. As Campfield explains: “You have to continually evolve, or you’re going to quickly become compromised.”