Sep 30 2015

Identifying Cyberthreats in the Energy Sector

Cyberattackers are taking aim at oil, gas and utility companies that often fail to fully shore up their IT networks.

Companies in the oil, gas and utilities industries use their IT networks to both house valuable intellectual property and control large physical systems, making the energy sector an especially attractive target to cyberattackers who can both steal valuable data and damage critical infrastructure by attacking these companies (as well as making the consequences of a breach potentially disastrous). But companies in these industries have generally focused their security efforts on physical assets, rather than on the IT systems. In fact, many energy companies lack the sort of robust cybersecurity infrastructure seen in fields such as finance and government.

As a result, one of the sectors most likely to see a high number of intrusion attempts is also one of the least prepared to fend off these attacks.

John Ewing, a security solution architect for CDW, says physical security and ease of use have long been the top priorities for energy companies, with cybersecurity taking a back seat. For example, many utilities use wireless meters, which provide workers with remote access. These meters make it easier for companies to track billing, but may expose network vulnerabilities, he says.

“These things are open, public,” Ewing says. “You can access them with the right password or right code. Once it’s a shared password, it’s pretty easy to find, and you have full control of that network. You can sit in a car down the street and try to connect to that system. It’s becoming an education for operations folks — there’s a risk involved. Making life easier is one thing, but making life easier securely is another. They need to go hand in hand.”

Similarly, Tom Kellermann, chief cybersecurity officer at Trend Micro, says that the energy industry installed wireless systems before companies were equipped to handle cybersecurity issues, in part to prevent events such as the 2003 Northeast blackout. “All of these things are wonderful in the case of a physical attack,” he says. “But they exacerbate cybersecurity issues.”

According to Kellermann, it’s an “understatement” to say that energy companies have traditionally made IT security a low priority — a fact that is beginning to have serious consequences.

“The sector is under siege, and it’s relatively unprepared as a sector, because they’ve spent far too much time focusing on physical security,” Kellermann says. “You’re seeing data being wiped [in cyberattacks]. You’re seeing safety systems being shut down. You’re seeing attempts to shut down grids. You’re seeing oil platforms go offline for hours at a time.”

In a 2015 Trend Micro survey, 47 percent of energy sector respondents in the western hemisphere said they had dealt with attacks intended to delete or destroy information within the past year. That number puts the sector behind only government, and ahead of industries such as finance, communication and manufacturing.

“That is so damning,” Kellermann says of the report. The numbers, he adds, reflect the fact that cyberattackers have apparently begun to take notice of the unique opportunities represented by oil, gas and utility companies.

“As with many industries, the energy industry is often a target for cybercriminals seeking financial gain or intellectual property,” notes Kevin Haley, director of product management for Symantec Security Response. “However, the energy industry has also found itself the target of cyberattackers intent on sabotage and hacktivism. This puts the industry in a fairly unique position of dealing with all four of these types of attacks.”

These attacks can come from insiders who accidentally or intentionally release sensitive data, activists trying to promote an agenda by harming a company, organized crime syndicates that steal information for financial gain or nation-states intent on spying or destroying infrastructure.

Attack Vectors

Trend Micro’s Kellermann says attackers are currently using three primary methods to hack the networks of energy companies:

  1. Spear phishing: Attackers send fraudulent emails purporting to be from a known contact of the victim, with the goal of prompting the recipient to either click on a malicious link or attachment or provide confidential information.

  2. Watering holes: Attackers infect a third-party website visited by energy company stakeholders (for example, the energy section of a popular news site) with malware, ultimately leading to the company’s network itself also become infected.

  3. Network-based attacks: Hackers use attack platforms such as the Nuclear exploit kit to launch attacks directly against a company’s infrastructure.

Kellermann says executives at energy companies are beginning to take cybersecurity more seriously, but that they are currently hamstrung by a shortage of cybersecurity professionals with an in-depth understanding of energy companies’ networks. Still, he says, companies in this sector should employ solutions such as breach-detection systems, virtual patching and file integrity monitoring in order to stay on top of potential threats.

CDW’s Ewing says additional regulations could help ensure that energy companies are equipped to fight cyberthreats, but that it isn’t clear when new regulations might come to pass.

“Either it will happen naturally,” he says, “or something major is going to happen, and it’s going to wake everybody up.”