Executive Insight, Policy & Regulation, Smart Grid

The Energy and Utilities Sector Remains Vulnerable to Hackers

For years, energy and utility organizations have been high-profile targets for hackers, cyberterrorists and foreign governments. Infrastructure organizations are seen as vulnerable targets that can be used to cause mass disruption with a relatively few keystrokes pressed from a home located a few blocks away or from a foreign nation on the other side of the world.

Because attacks on the energy and utility sector are often kept confidential—unlike data breaches suffered by retailers and healthcare organizations that are highly publicized to warn customers and patients whose information has been stolen—the public has little knowledge of infrastructure attacks, and even some cybersecurity professionals are unaware of a breach’s true extent. New information, however, reveals that cyberattacks on utility and energy organizations are a serious and growing threat.

Cyberattacks on Energy and Utilities Increasing

A 2016 survey of 150 IT professionals employed by companies in the natural gas, electricity and oil sectors revealed that cyberattacks are much more common than the public realizes. More than 75 percent of the respondents stated that their companies had suffered at least one attack during the previous year in which intruders breached a minimum of one firewall, antivirus software or other safeguards. Almost 50 percent stated that known cyberattacks in their industry had increased during the previous 12 months, and over 80 percent believed that a major breach damaging critical infrastructure is looming on the horizon.

What Are Hackers After?

When cybercriminals target a retailer, it is easy to determine what they hope to recover—data that they can sell to other criminals. Typically, hackers are looking for credit card numbers and personal data such as cardholders’ addresses and phone numbers. However, the reasons for hackers to attack energy and utility companies are less straightforward.

According to several analysts, cyberattacks on public utilities and energy companies have thus far been focused primarily on reconnaissance rather than data theft. Most believe that the hackers are checking to see what systems they can breach, the type of information they could access, and where the vulnerabilities are; they can then store away the knowledge for an attack at a later date. However, at least one unnamed pipeline company in the United States had proprietary information stolen, and Telvent Canada suffered a malware attack that enabled hackers to steal proprietary information of a product developed by the company to allow new smart grid systems to work with older SCADA control systems.

Furthermore, in December 2015, the first documented cyberattack to disable a power grid occurred in Ukraine. Although there has been widespread speculation that Russia was behind the attack, it may never be possible to prove who the actors were beyond a reasonable doubt. What is known is that the attack had been planned over several months and began with reconnaissance to learn about the networks and steal operator credentials. When the attack came, it was in the form of a synchronized, well-choreographed assault that took down three power distribution systems and almost 60 substations, leaving more than 230,000 people without electricity.

How Secure Are the Power Grids in the United States?

Cybersecurity at energy and utility companies in the United States is a study in contradictions. Utility companies are heavily regulated, requiring them to take various security measures for regulatory compliance. The utility industry is regarded as having a higher level of cybersecurity sophistication than most other industries.

However, a recent study by Cisco revealed some troubling information. Approximately 66 percent of the CISOs and only 46 percent of the SecOps managers stated that their organizations followed a standardized practice for incident response. Roughly the same number stated that they had “good systems” for confirming that incidents actually occurred. When responses from both professions were combined, only 42 percent stated that they employed privacy protection tools and data encryption; in other industries, the total was 55 percent. Furthermore, 46 percent of the utility cybersecurity professionals reported using data loss prevention tools, compared to 56 percent of their colleagues in other industries.

The Cisco study also revealed that successful breaches tend to change attitudes toward cybersecurity. Among organizations that suffered a public security breach, 76 percent reported that they used IPS tools and firewalls, and 64 percent stated that they employed vulnerability scanning tools. The numbers for organizations that had not been publicly breached were 53 percent and 44 percent, respectively.

Evolving Threats for Infrastructure Organizations

Modernization provides significant benefits, but it also has a tendency to increase the threat surface. A highly mobile workforce has led to many utility companies embracing mobile security tools as well as cloud-based incident response plans and cloud-based internet security. However, a study conducted by the Ponemon Institute revealed that 43 percent of the respondents rated malicious or negligent insiders as their biggest security threat. A mere 39 percent reported that they used programs dedicated to the detection of advanced persistent threats.

As the Internet of Things grows and as utility companies expand their use of remote access features and internet-facing control systems, the industry will face new security challenges. Hackers are becoming more proficient, and the growth of government-sponsored hacking will also increase the likelihood of persistent attacks. Although the utility and energy sector has made great strides in cybersecurity, there is still much work left for them to do.

One approach that can help is a comprehensive security operations platform. The benefits to energy and utilities organizations include a single platform to respond with consistency and accuracy to all cyber attacks. This type of solution can help reduce MTTR (Mean Time To Respond) and create consistent documentation of the entire incident management process.

About the author: Rishi Bhargava is Co-founder and VP, Marketing for Demisto, a cyber security startup with the mission to make security operations – “faster, leaner and smarter.” Prior to founding Demisto, he was Vice President and General Manager of the Software Defined Datacenter Group at Intel Security. A visionary and technology enthusiast, he was responsible for delivering Intel integrated Security Solutions for datacenters. Before Intel, he was Vice President of Product Management for Datacenter and Server security products at McAfee, now part of Intel Security.