By Jason Atwell and Ryan Love
The energy sector sits in the middle of a perfect storm when it comes to cybersecurity. On one side of the equation is a massive industrial base, replete with advanced, legacy, and custom operational technology (OT), with constant demand for accessibility and availability. On the other are financially motivated cyber adversaries, who are fully aware that the energy sector represents a high-impact and high-payoff target of opportunity. Technology and business processes are not static. Innovations and business requirements are always adjusting to their environment. This is true for threat actor campaigns as well. The threat environment is constantly shifting to adapt to the defenses, exploit new vulnerabilities in cloud and physical infrastructure. Navigating the challenges presented by this situation has also been a constantly shifting and expanding problem set.
Organizations need to realize that business operations and security programs are a continuum that never reach an end state. Every innovative technology or conceptual advance leads to corresponding needs in security, configuration, and risk management. The waves of new standards, guidance, requirements, and advice can be overwhelming, and place organizations in an inherently reactive posture, continually chasing a moving finish line. Achieving an appropriate, and proactive, cybersecurity posture in this climate will require a fundamental shift in thinking and prioritization, otherwise the impact of phenomenon like ransomware will become increasingly dangerous and disruptive.
If simple adherence with standards and regulations applicable to the energy sector were getting results in cybersecurity effectiveness and preparedness, incidents like the Colonial Pipeline ransomware attack would be rare. Instead, they are increasingly common, and the lucrative results of these campaigns will likely only attract more malicious actors to the arena. There is a fundamental weakness in achieving security by compliance, and that is that it requires 100% of the involved controls and compensators to work 100% of the time. In other words, compliance is the beginning of cybersecurity and risk management program, not the end. Given the constant evolution of networks and their scope in terms of their hardware, software, OT/ICS, and human components it is highly unlikely that organizations will be at 100% the moment an attacker appears at their door.
There is a fundamental weakness in achieving security by compliance, and that is that it requires 100% of the involved controls and compensators to work 100% of the time.
In the quest for compliance, the goal of the process often gets lost in the shuffle. All these efforts are ultimately about risk management; that is, what vulnerabilities or threats are organizations prepared to deal with as necessary to the flexibility required to do business? NIST publications and CISA guidance only tells organizations what to do, arriving at the required end state must be tailored to each individual mission and operational need. The standards are not the goal, they are elements that can be used to achieve it. Instead of prescriptive check-the-box list, organizations should have descriptive “what are they trying to accomplish?” type documentation. The greenest compliance matrix in the world can still be rendered moot by policy exceptions, newly fielded technology, or human error. In this situation, the pursuit of resilience by a layered, defense-in-depth predicated on proactive threat hunting, better visibility, and threat-intelligence enabled user awareness, will result in a much more survivable network. The statistics around incidents and their impact tell us that though incidents are less long-lasting, detected more quickly, and remediated more thoroughly, they continue to occur regularly and have sometimes devastating impacts to operations, privacy, and property.
Achieving cybersecurity maturity for the energy sector will mean leveraging expertise across a range of specialties in the field, not just those directly connected to the technology. Building organizational muscle memory for detecting, investigating, and responding to threats incorporates people and processes as a key component, so that the standards and systems used are enablers to the organization as they seek to maintain operability in crisis. It is especially important for mature organizations and programs, especially those connected to critical infrastructure such as power grids, pipelines, and generation facilities, to focus on integrating business operations and security to create a comprehensive approach to risk management.
We are in an era where executives can be personally liable in the event of a breach if actions prove to be negligent. Meanwhile, security leaders are under pressure to secure large environments with inconsistent levels of security and technology. But lacking the appropriate tools and defined processes needed to validate the effectiveness of security, quantify risk, and exhibit operational competency. Recommended actions for organizations include:
- Have executive teams demonstrate their competency in quantifiable terms to the public and shareholders. Answer questions such as: What is the organization doing to protect against evolving threats? How is the organization ensuring the continuity of essential business functions?
Measure and establish baselines forsecurity controls and configuration. Answer questions such as: Are the controls doing what the organization needs them to do? Are security controls configured correctly and effectively?
- Optimize the performance of the security tools and process that businesses have already invested in and gain visibility on their performance.
- Utilize centralized security management that reports compliance and remediation prioritization to security managers AND executive leadership teams.
- Implement a continuous validation framework, that includes creative red teaming and pen testing, identifying weak links in software and hardware supply chains, verifies security controls, coupled with a continuity of operations plans that allow for resilience in the face of disruptive attacks.
In the run-up to World War II there was a saying “the bomber will always get through” to explain the futility of assuming enemy aircraft could be kept from friendly airspace. Well, we are now in the era of “the hacker will always get through” and it is imperative organizations act accordingly. Taking the time to think through the implications of all decisions through a lens of “what does this expose the organization to, how does the organization protect itself to the greatest extent possible and continue to operate if things go wrong?” will pay dividends in gained efficiencies and better priorities.
About the Authors
Jason Atwell is a Senior Intelligence Advisor for Mandiant. Jason has over 17 years of experience in cyber and risk intelligence from across the military, government, and commercial sectors. As a Senior intelligence enablement consultant, Jason contributes to the intelligence used by many of the world’s top governments and commercial entities to defend against targeted attacks. Jason also serves as an intelligence officer in the U.S. Army Reserve. Prior to FireEye, Jason was a senior advisor to the CIOs of the U.S. House of Representatives, the Department of Health and Human Services, and the National Institutes of Health helping to navigate the increasingly complex cyber threat environment. During his career Jason has been a key member of military and civilian staffs conducting civil-military operations in Baghdad, solving complex geospatial problems for the DIA, and working to counter foreign intelligence and influence operations at the U.S. Department of State.
Ryan Love is a Strategic Alliance Manager at FireEye.