pixel_dreams - Fotolia

Energy sector lacks visibility of damaging cyber attacks

While 82% of energy sector IT professionals say a cyber attack could cause physical damage, 65% cannot track all threats to their networks

Two-thirds of energy sector IT professionals lack visibility into cyber attacks capable of causing physical damage, a study has revealed.

Only 35% of those polled claimed to be able to track threats targeting their operational technology (OT) systems, according to a survey commissioned by security firm Tripwire.

The study was carried out in November 2015. Respondents included more than 150 IT professionals in the energy, utilities, and oil and gas industries.

While 82% of respondents recognised that a cyber attack on the OT in their organisation could cause physical damage, 65% said they were unable to track all threats targeting their OT networks.

More than seven out of 10 respondents (76%) believed their organisations were targets for cyber attacks that could cause physical damage; 78% said their organisations were potential targets for nation-state cyber attacks; and 100% of executive respondents said they believed a kinetic cyber attack on their OT would cause physical damage.

“The incredibly high percentages of these responses underscore the need for these industries to take material steps to improve cyber security,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “These threats are not going away. They are getting worse.”

Attacks on energy sector increase

According to the US Department of Homeland Security, the energy sector faces more cyber attacks than any other industry, and attacks on industrial control system networks are on the rise.

survey of the oil and gas industry, published by Tripwire in January 2016, revealed only 31% of those polled felt their organisation was capable of detecting all cyber attacks; while 82% said the number of successful cyber attacks their organisation had experienced in the past year had increased.

Read more about industrial control systems security

More than half of those polled in the oil and gas industry said they believed the rate at which cyber attacks was increasing was 50% to 100% in a month, while 2% believed the figure had more than doubled.

Attacks on power companies in Ukraine on 23 December 2015 are believed to be the first time cyber attacks have caused direct power outages.

Tens of thousands of homes in Ukraine’s Ivano-Frankivsk region were plunged into darkness for several hours.

According to a report by the industrial control systems (ICS) team of the Sans Institute, the power outage was due to a co-ordinated, intentional attack.

Analysis by the ICS team revealed that the attackers demonstrated planning, co-ordination and the ability to use malware and possible direct remote access to disrupt the electricity infrastructure.

There is also evidence that the attackers were able to delay the restoration of power services by wiping the computer systems used to gather data and control power distribution.

“We’ve already seen the reality of these responses in the Ukraine mere weeks after this survey was completed. There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today,” said Erlin.

Anomaly detection

“While the situation may seem dire, in many cases there is well understood best practice that can materially reduce the risk of successful cyber attacks,” he said.

Commenting on the oil and gas survey in a blog post, Erlin said that, because it is unrealistic to believe that 100% of the threats can be eliminated, there is always a need for accurate detection of successful attacks.

This can be challenging when it comes to environments that use industrial control systems (ICS), however Erlin said that an ICS-centric environment is more defensible than corporate IT.

“Oil and gas companies should look at how they can detect anomalous activity or unauthorised changes in their control environments to improve this metric,” he wrote.

Yoni Shohet, co-founder and chief executive of SCADAfence, told Computer Weekly in January 2016 that it is important industries use industrial control systems to understand the threats and risks, as well as their vulnerabilities.

“They need to ensure they can contain threats and ensure there are no unauthorised operations inside their IT environment that can introduce threats or manipulate industrial processes,” he said.

Key to addressing all of these challenges, according to Shohet, is increasing visibility of the industrial networks without having any impact on the performance of those networks.

“To improve security, companies need to have complete visibility and a real-time understanding of their IT environments, so that they can monitor all activity and detect any anomalous, unauthorised or malicious activity immediately and contain it before any damage can be done,” he said.

Read more on Hackers and cybercrime prevention