The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data, says Tarun Kaura, Director, Technology Sales, India and SAARC, Symantec.
Energy is crucial to our modern lifestyle, as we heavily depend on an abundant and uninterrupted supply of energy to fulfill every basic as well as extremely complex function. Energy is a key ingredient in all sectors of modern economies. Come to think of it, energy companies across the globe in essence are supporting every other organisation and individual to a great extent. In today’s interconnected world, where everything is available at a click of a button, if there is no energy (in its varied forms) life can come to a complete standstill. Disturbingly but not surprisingly, recent reports by Symantec have shown how cybercriminals have increased their focus in the energy sector, by attempting attacks against the companies and industries that supply it. Whether with intentions to capture critical information, bring down a nation’s infrastructure or make money, cybercriminals see a lot of promise in this space.
Exposed systems: Online and offline
The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data. For example, At Symantec, we have observed attackers target intellectual property such as technology for photovoltaic research and wind turbines, or data on gas field exploration. Information such as this is of high value and can generate huge profits for attackers or their sponsors. The same information can also be misused for an act of sabotage. Many power utilities companies fear disruptive attacks the most, regardless of whether it is done by internal or external attackers. The energy sector has a high potential for critical disruption through sabotage attacks. Any interruption to the power grid would cause substantial chaos and cascading effects resulting in financial loss.
In a recently release whitepaper on ‘Targeted Attacks Against the Energy Sector,’ Symantec observed an average of 74 targeted attacks per day globally, during the monitoring period from July 2012 to June 2013. Of these, nine attacks per day targeted the energy sector. Accounting for 16.3 per cent of all attacks, the energy sector was the second most targeted vertical in the last six months of 2012, with only the government and public sector exceeding it with 25.4 per cent of all attacks. The high ranking was mainly due to a major attack against a global oil company, which we observed in September 2012. However, in the first half of 2013 the energy sector continued to attract a high proportion of attacks, ranking in fifth place with 7.6 per cent of targeted attacks.
Motivation and origin
The threat to energy firms comes from several different sources. In some cases, espionage from competitors is the primary motive, with data on new projects, exploration and finances being targeted. Disruption and destruction are the goals of other attacks. Some instances appear to be state sponsored, such as the disruption of the Iranian nuclear program by the Stuxnet worm in 2010, one of the attacks that began this trend. Others appear to be the work of hacktivists with political or environmental agendas. Internal attackers, like disgruntled employees, are also a major source of attacks that often lead to service disruption. The majority of the actors behind these attacks have grown more sophisticated in the way they attack.
In the past there have been quite a few attacks that included targets in the energy sector. Some of these were more focused, like Stuxnet, Duqu, Shamoon/Disttrack and Night Dragon. Others saw power companies targeted among many other sectors, such as Hidden Lynx, Nitro, Flamer, Net Traveler and Elderwood to name a few. One of the biggest examples, and a game changer for many organisations, was Stuxnet. This targeted sabotage attack, which is believed to have been aimed against uranium enrichment facilities in Iran, made clear what could be done through cyber-attacks.
The threat to energy firms is only likely to increase in the coming years as new developments, such as further extensions of smart grids and smart metering expose more infrastructure to the internet. As with any connected infrastructure, it is important to secure the network and its endpoint on multiple levels. Equipment that is not connected to the Internet and other networks is not immune to threats and there have already been a number of successful attacks against isolated systems. Operators of critical infrastructure, as well as energy utility companies, need to be aware of these threats and prepare accordingly.
Protection and mitigation
For all regular client computers, the well-established best practice guidelines apply. These computers are often the first ones to be attacked. Once compromised, the attacker will use these computers and try to explore deeper into internal networks. Securing and hardening of deployed operating systems with a working strategy for patch deployment is important.
Reoccurring security awareness training can help users to identify social engineering attempts and prevent them from falling victim to them in the first place.
Companies can monitor the Internet for information about attacks in the same vertical and apply lessons learned where possible. In addition, different layers of security products can help achieve better overall protection.
- Security Information and Event Manager system (SIEM): Using a SIEM can help correlate all related alerts in one place. This centralised view can be cross referenced with threat intelligence data to generate prioritisation and an action plan.
- Ingress and egress filtering: Filtering the network traffic with firewalls, content filters and IPS allows the control of data flows. This can prevent attackers from reaching internal systems. It is important to also monitor outbound traffic, as data exfiltration is a key point for cyberespionage. It should be noted that with the increased use of cloud services and mobile devices, some traffic might never pass through the company’s gateways. Where traffic blocking is too disruptive at least monitoring should be implemented.
- Data loss prevention (DLP): DLP solutions can track the access and flow of critical information and prevent it from leaving the company or encrypt it automatically.
- Endpoint protection: Depending on the usage pattern of the computer, different solutions are available to protect the endpoint. Antivirus solution with proactive detection methods like behavioral analysis and reputation scanning can prevent unknown malware from installing itself.
- System protection: For non-standard IT systems, hardening can increase the security. On industrial systems which are not often updated or that cannot be updated, exploitation can be prevented with the help of lockdown solutions like Symantec Critical System Protection (CSP).
- Email filtering: Proper email filtering can prevent many spear phishing attempts from reaching users. They can help minimise the risk of an untrained user falling for social engineering tricks.
- Authentication: Some of the ICS contain hardcoded passwords and, wherever possible, these should be changed. ICS frequently use weakly authenticated protocols that allow for impersonation attacks. Where possible those authentication methods should be upgraded or at least closely monitored. Strong authentication or PKI should be used where applicable.
Cyberespionage campaigns and sabotage attacks are becoming increasingly common, with countless threat actors attempting to gain a foothold in some of the best protected organisations. The attackers tend to go after valuable information * such as maps of a new gas field — but the sector is also a major target for sabotage attacks, which will not generate direct profit for the attacker.
Fortunately, there have not been many successful sabotage attacks against energy companies to date. However, the increasing number of connected systems and centralised control for ICS systems means that the risk of attacks in the future will be on the high rise. Energy and utility companies need to be aware of these risks and plan accordingly to protect their valuable information as well as their ICS or SCADA networks.