By Miles Tappin, VP of EMEA at ThreatConnect
The interdependence of critical infrastructure makes the utility sector highly vulnerable to cyber threats. Throughout the years, the industry has been susceptible to state sponsored attacks and cyber criminals taking advantage of vulnerabilities in critical infrastructure for extortion or political reasons. With utilities undergoing innovation and digital transformation, now more than ever, we need to be vigilant. Many cyber criminals are using the rapid pace of technological change to create new attack vectors, posing a significant risk to the overall infrastructure.
In fact, there has been a staggering number of attacks hitting the utilities and energy sector during the past year, showing the scale of vulnerabilities. In the States, a South Carolina water supplier was targeted in an ‘international cyberattack,’ affecting online payments for half a million people, the European Network of Transmission System Operators for Electricity (ENTSO-E) was hit by an attack in March, while in November the Nuclear agency in Japan (the Nuclear Regulation Authority) suffered a cyber-attack which took down its website for several hours. And in December, the States discovered that malicious actors had infiltrated hundreds of servers across the country.
It is vital that the utilities and energy sector understand how to identify and prioritize the most pressing threats they face and learn how to defend themselves from future attacks, quickly and efficiently. But how can they do this, when the volume of attacks continues to increase and attackers are becoming ever more sophisticated?
To deliver reliable services to society, critical infrastructure providers need to ensure cybersecurity is built into their operating models. But how do companies know where to prioritize their efforts when the number of adversaries is growing and motives are so varied, ranging from financial gain, to geopolitics to sabotage?
There are several stages to tackling this effectively. The first thing organizations must do is to quantify risk — how likely an attack is, how prepared defenses are currently and what the potential damage could be in terms of cost, operations, and reputation. Understanding this can help businesses understand where investments are needed and the potential financial and operational risk of not doing so.
From there, a key element is gathering intelligence. However, this is not limited to intelligence gathering from within the organization. In the fight against cyber adversaries, collaboration is key. This means combining threat intelligence gathered by internal security teams with insights gathered by other companies in the sector. These insights can also be integrated with information from a number of different locations and industry sources, such as the Electricity Information Sharing and Analysis Center (E-ISAC), Supervisory Control and Data Acquisition (SCADA), Oil & Natural Gas Information Sharing and Analysis Center (ONG-ISAC) and Department of Homeland Security (DHS).
Collaborations like this will help organizations paint a clearer picture of the adversaries they face, the methods they use, and the vulnerabilities they target. From there, security teams can better understand how best to defend themselves. For example, if intelligence reveals that a criminal group is targeting businesses across the industry with a targeted spear phishing campaign, using COVID-19 as a lure, steps can be taken and defenses can be put in place.
The more you know, the better you’ll be able to respond to a new threat. Basic details including where the malware comes from, what it does, and how it was targeted in the past can help form the basis of an intelligence-led defense.
A more effective defense
Having the right intelligence, however, is not enough to ensure that intelligence is turned into action. Integrating internal security tools and technologies, while also connecting to external sources, creates a single source of intelligence that feeds operations and enables organizations to direct action against the threats that matter most.
This approach creates a continuous feedback loop for the people, processes and technologies that make up the security program, improving the effectiveness of the entire security ecosystem over time. It also allows businesses to keep up with threat actors that are constantly adapting their methods to profit at the expense of others — something that will not stop anytime soon.
Intelligence doesn’t exist for its own sake: it exists to inform decisions. There are automated platforms that make it easy to take action on information pulled together in this way, further simplifying the process and allowing staff to send indicators to be blocked or assigned to an analyst for further investigation.
Automation can take much of the load of back-end administration off the shoulders of the analysts, leaving them to apply their expertise to the decision-making process once all relevant information has been combined and parsed. That adds up to a more effective defense and a more economical spread of resources.
The utility sector is constantly being probed and attacked by cybercriminals and state-sponsored hacker groups. The industry needs to make cybersecurity a top priority, with a focus on an intelligence-driven security program that can prioritize threats based on their potential financial and operational impact to a utility’s specific infrastructure.
Cybersecurity professionals in the sector need to quantify their risks, communicate those risks in terms the rest of the business can understand, and then use intelligence to help inform and automate defenses. Only then, will they be able to safeguard the future of the industry and maintain the reliability of their services.
Author Miles Tappin Vice President, EMEA at ThreatConnect