pixel_dreams - Fotolia
Two-thirds of energy sector IT professionals lack visibility into cyber attacks capable of causing physical damage, a study has revealed.
The study was carried out in November 2015. Respondents included more than 150 IT professionals in the energy, utilities, and oil and gas industries.
While 82% of respondents recognised that a cyber attack on the OT in their organisation could cause physical damage, 65% said they were unable to track all threats targeting their OT networks.
More than seven out of 10 respondents (76%) believed their organisations were targets for cyber attacks that could cause physical damage; 78% said their organisations were potential targets for nation-state cyber attacks; and 100% of executive respondents said they believed a kinetic cyber attack on their OT would cause physical damage.
“The incredibly high percentages of these responses underscore the need for these industries to take material steps to improve cyber security,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “These threats are not going away. They are getting worse.”
Attacks on energy sector increase
According to the US Department of Homeland Security, the energy sector faces more cyber attacks than any other industry, and attacks on industrial control system networks are on the rise.
A survey of the oil and gas industry, published by Tripwire in January 2016, revealed only 31% of those polled felt their organisation was capable of detecting all cyber attacks; while 82% said the number of successful cyber attacks their organisation had experienced in the past year had increased.
Read more about industrial control systems security
- Attackers with increasing capabilities have strong financial motivation to go after critical infrastructure and manufacturing firms, says security industry expert.
- Industrial control systems should be securely managed by the enterprise, specifically when suppliers need access to them.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
More than half of those polled in the oil and gas industry said they believed the rate at which cyber attacks was increasing was 50% to 100% in a month, while 2% believed the figure had more than doubled.
Attacks on power companies in Ukraine on 23 December 2015 are believed to be the first time cyber attacks have caused direct power outages.
Tens of thousands of homes in Ukraine’s Ivano-Frankivsk region were plunged into darkness for several hours.
Analysis by the ICS team revealed that the attackers demonstrated planning, co-ordination and the ability to use malware and possible direct remote access to disrupt the electricity infrastructure.
There is also evidence that the attackers were able to delay the restoration of power services by wiping the computer systems used to gather data and control power distribution.
“We’ve already seen the reality of these responses in the Ukraine mere weeks after this survey was completed. There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today,” said Erlin.
“While the situation may seem dire, in many cases there is well understood best practice that can materially reduce the risk of successful cyber attacks,” he said.
Commenting on the oil and gas survey in a blog post, Erlin said that, because it is unrealistic to believe that 100% of the threats can be eliminated, there is always a need for accurate detection of successful attacks.
This can be challenging when it comes to environments that use industrial control systems (ICS), however Erlin said that an ICS-centric environment is more defensible than corporate IT.
“Oil and gas companies should look at how they can detect anomalous activity or unauthorised changes in their control environments to improve this metric,” he wrote.
Yoni Shohet, co-founder and chief executive of SCADAfence, told Computer Weekly in January 2016 that it is important industries use industrial control systems to understand the threats and risks, as well as their vulnerabilities.
“They need to ensure they can contain threats and ensure there are no unauthorised operations inside their IT environment that can introduce threats or manipulate industrial processes,” he said.
Key to addressing all of these challenges, according to Shohet, is increasing visibility of the industrial networks without having any impact on the performance of those networks.
“To improve security, companies need to have complete visibility and a real-time understanding of their IT environments, so that they can monitor all activity and detect any anomalous, unauthorised or malicious activity immediately and contain it before any damage can be done,” he said.