By Jay Mecredy, Courion Corp.
Energy companies are a nearly irresistible target for hackers and data thieves. They have their customers’ financial data and employees’ healthcare information. They perform a vital economic function. They operate large, complex and often computer-controlled machinery. After an era of deregulation, mergers, acquisitions and consolidation, they often have a patchwork of IT systems and security applications with seams and forgotten back doors to be exploited.
So is it surprising that the Department of Homeland Security’s Computer Emergency Readiness Team investigated 79 hacking incidents at energy companies in 2014? Or that hackers broke into 37 percent of energy companies in 2013-14, according to ThreatTrack Security?
It shouldn’t be. What’s more surprising is that it doesn’t happen more often. The energy industry is in the mainstream of U.S. industries that are using outmoded, largely manual methods of protecting their networks. Most energy companies concentrate their security efforts on keeping intruders out of the network while they are vulnerable to the most devastating and hard-to-detect attack-an internal attack using legitimate user privileges to steal or corrupt data.
Hackers are targeting energy companies with increasingly clever tactics to trick network users into giving up their credentials. With email addresses widely available on the Internet, hackers can contact employees directly under the guise of official business and present seemingly legitimate reasons for replying with user names and passwords; or they can get them to click on a malware attachment disguised to look like a harmless document or image. Sometimes it can be as easy for a hacker as exploiting a security hole in a Web browser while the user is surfing the Web to seize credentials and access privileged services.
Once a hacker is inside a power company network using legitimate credentials he or she can sign into applications and databases or request access to more resources. In a large organization, IT can’t vet these requests because they don’t know the sources. Once the hacker has network access, it’s almost impossible to catch them with the tools available to most IT professionals today.
The primary access protection device at most energy companies is certification processes mandated by federal regulations. IT extracts lists of users from database and application access management systems, cleanses them, and distributes them to business managers for certification, usually as spreadsheets. If an employee has left or has a privilege that isn’t necessary for their job, the manager notifies IT to terminate the privileges.
By then, it’s usually too late. Hackers probe networks and phish for credentials almost every hour of the day, but most organizations only review their access privileges quarterly or, at the most, monthly. Reviews based on manual data extraction and cleansing are too slow and expensive to conduct frequently, so most organizations do enough to satisfy regulatory requirements and little more.
It is this lack of intelligent, automated access management solution tools in most corporate infrastructures that puts IT at a disadvantage against hackers. With the constant push toward more open networks that encompass customers, vendors and partners, data is constantly more exposed to hackers. In the energy industry, the growing popularity of wireless meters linked in mesh networks opens another door to the network, as do employees at remote drill sites who send data back over wireless links.
Focusing data security resources on keeping the wrong people out of the networks is playing a losing game in this era of increasing openness. Energy companies need data security systems that help them identify hackers who are using legitimate credentials. They are composed of three essential elements: 1) automated data extraction to eliminate slow, costly manual data extraction; 2) role-based management that prescribes which access privileges employees need to do their jobs and makes identifying suspicious privilege requests easier; and 3) user data analytics for detecting suspicious patterns of use.
Unified in a security framework that encompasses all vital IT resources, these elements enable IT staff to answer questions that identify high-risk individuals and groups, such as:
“- Are there domain administrator accounts whose passwords have been changed?
“- Which non-sales system have sales people accessed?
“- Is anyone accessing customer information without a genuine need to know?
“- Does this business unit have an abnormal number of accounts with unnecessary entitlements?
Hackers and energy companies have one thing in common: they both work constantly. Energy company IT staffs need the tools to identify hackers who have stolen legitimate access credentials to probe networks from the inside. The tools are available now-Amazon.com has been using comparable technology for years to track customer preferences. Energy companies owe it to their own customers-and employees, partners, vendors, etc.-to adopt it now.
Jay Mecredy is product manager at Courion Corp. Courion is focused on identity and access management solutions.