Narong Jongsirikul - Fotolia

Energy industry needs to up cyber defences, warns report 

Cyber threat actors are advanced and persistent, but firms in the energy industry are using outdated systems and technology to save money, putting them at risk of cyber attacks, warns F-Secure report

Energy industry firms are vulnerable to increased cyber espionage and sabotage attacks due to outdated systems and technology, and poor security posture, prioritisation and awareness, with phishing the most popular method of infiltration, a report warns.

Malicious actors are targeting critical infrastructure (CNI) sites and energy distribution facilities exponentially, and interconnected systems in the energy industry increase vulnerabilities, and cyber attacks often go undetected for some time, according to the report by security firm F-Secure.

As energy companies seek to save costs in the face of lower oil prices by consolidating operations, the report said this can weaken business resilience and redundancy levels, meaning that organisations will take longer to recover from any destructive or disruptive attacks.

“This gives rise to new, single critical points of failure, with any disruption across the supply chain potentially having increased consequences,” the report said, noting that cyber attacks using individual vulnerabilities and exploits have, and always will be directed against the vast number of programmable logic controllers (PLCs) in existence.

However, the report highlights that connecting industrial control systems (ICS) to the internet and enterprise business networks is increasing, and this in conjunction with fewer backups and an increased dependency on fewer facilities, are all contributing to vulnerabilities in the energy industry.

“Espionage and sabotage attacks against CNI organisations have increased over the years and I don’t think we have seen it all yet,” said Sami Ruohonen, threat researcher at F-Secure.

Increased connectivity is risky, the report said, because a “considerable number” of CNI systems in use today were installed before round-the-clock internet connections were the norm.

As a result, many of these connected operational technology (OT) components that have remote operation capabilities are either partly or entirely lacking in security protocols such as authentication.

In addition, the report said cyber security was not a realistic threat when these systems were manufactured, and legacy protocols and systems never had the built-in security controls that are standard today, opening them up to attacks.

“Critical infrastructure due to its nature is an interesting target for a foreign nation-state, even during peacetime,” said Ruohonen.

Other key findings of the report include that:

  • A variety of different adversaries, each with their own motivations and tradecraft, constantly strive to compromise organisations that operate critical infrastructure.
  • Attackers have more time than their targets and will take months to plan their attack.
  • People are the weakest link in production, with company employees seemingly being criminals’ go-to target.
  • Attackers continue to succeed mainly due to organisations’ lack of mature cyber security practices
  • Nation-state sponsored advanced persistent threat (APT) groups are relentless, and continue to seek network foothold positions on CNI and espionage opportunities to achieve political leverage.
  • Nine different threats targeting the energy industry stand out, including the Lazarus, BlackEnergy, GreyEnergy, Dragonfly and Triton groups, with spear phishing being the most common initial supply chain attack technique.

While breaches are a certainty, Ruohonen said organisations should review their cyber security posture to implement the latest security technologies such as an endpoint detection and response (EDR) system.

“EDR is a quick way to tremendously increase capabilities to detect and respond to advanced threats and targeted attacks which might bypass traditional endpoint solutions.

“Managed EDR solutions can provide monitoring, alerting, and response to cover the needs 24/7. This means organisations’ IT teams can operate during business hours to review the detections while a specialised cyber security team takes care of the rest,” he said.

Read more about CNI security

Read more on Hackers and cybercrime prevention

Data Center
Data Management