Connected objects are nothing new in the energy sector. While the Internet of Things (IoT) is a new concept for many consumers and companies, enterprises in the oil, gas and utility industries have long relied on connected equipment to support operations in far-flung locations.
More recently, however, this connected equipment has become the source of major cybersecurity concerns.
“A lot of these systems were not designed with cybersecurity in the forefront,” says Jim Guinn, Accenture’s global leader for cybersecurity in energy, mining, chemicals and utilities. “They were designed for uptime between failure. They have a lifespan of 20 to 40 years, and a lot of those older devices are still out in the field.”
If IT managers and other energy company executives needed a wake-up call, they got it during the Stuxnet and Dragonfly attacks. Stuxnet, widely seen as the world’s first digital weapon, underpinned a plan to sabotage Iran’s nuclear program.
Shortly thereafter, a group called Dragonfly targeted energy-sector enterprises in Western countries with malware, using the companies’ industrial control systems (ICSs) as an entry point. The attacks allowed the Dragonfly hackers to spy on the organizations, and could have allowed them to sabotage equipment.
These events brought new awareness to the vulnerabilities of connected equipment. Add in the projected billions of connected consumer devices entering the market in the coming years, and suddenly many energy sector companies must focus on securing IoT and Industrial Internet of Things (IIoT) objects, as they have traditional connected devices such as smartphones, tablets and computers.
Start a Plan
John Ewing, a security solution architect for CDW, outlines multiple scenarios in which a hacker could use vulnerable IoT or IIoT connections to launch an attack.
“If a power plant sends telemetry data about issues on a pipeline somewhere, a hacker could disguise that and pretend like nothing was happening to the system,” he says. “Or a hacker could find a weakness and try to exploit it, either to accelerate the failure or to use the failure to do something else. A hacker can even use the failure as a diversion technique — as a decoy for something else that’s going on.”
In order to secure connections, Ewing says energy companies must ask the right questions. For example: How much information is gathered? Where is that information stored? And who has access to that information?
Cybersecurity experts agree on the importance of setting baselines for the type of data that network administrators should expect to see transmitted by a device or object, and then monitor for any deviations from that baseline.
“It’s about being able to capture what types of transactions are happening on what types of networks, and seeing whether they’re the correct types of transactions,” says Guinn. “From that, you can identify potential intrusions.”
Raj Samani, chief technology officer for Europe, the Middle East and Africa at Intel Security, says some IoT and IIoT objects prove easier to protect than others devices.
“It’s much harder to protect my daughter’s iPad than it is a SCADA [supervisory control and data acquisition] system,” he says. “What I mean by that is, if you consider an ATM or a car or a pump, all of those have pretty specific functions. They shouldn’t be running iTunes on them, hypothetically. Creating a baseline for what should and shouldn’t run on them should be achievable.”
Consumer IoT products come with wildly different security features. Karen Scarfone, principal consultant at Scarfone Cybersecurity, recommends that energy companies conduct their own risk assessments and isolate less secure devices from the rest of the network.
“You don’t want to put your smart coffeemaker on the same network your SCADA network is on,” she says. “You don’t put your user devices on the same network as your servers. I would say the Internet of Things is no different.”
Guinn says the intersection of the IoT and bring-your-own-device programs creates a perfect storm that enterprises must learn to navigate.
“It’s going to be very difficult to see what the next horizon holds,” he says. “But what I do know is you’d better be ready to react to it. You need to have a very solid governance program and policies and procedures for how you’re going to deal with these new smart devices, no matter what they are.”