Nov 24 2021

Why Ransomware Remains a Persistent Threat to the Energy Sector

While federal agencies have taken notice of recent cyberattacks, critical infrastructure remains susceptible to bad actors.

A full year ago, McKinsey warned about the particular vulnerabilities of the energy sector to cyberattacks, but advised that “a structured approach that applies communication, organizational, and process frameworks can significantly reduce cyber-related risks.”

According to Forbes, ransomware attacks in 2020 were up 150 percent, and ransomware payments were up more than 300 percent. In 2021, the victims of such attacks have included a water treatment facility and a gas pipeline. Attacks on critical infrastructure have become increasingly common and present a potentially catastrophic threat to society, prompting the U.S. Department of Justice to elevate investigations of ransomware attacks to the same level as terrorism.

The White House also has taken note, issuing an executive order in May to improve the nation’s cybersecurity. The President then followed this action with another memorandum in July designed to improve cybersecurity for critical infrastructure control systems.

GAO Says DOE Needs to Provide Cybersecurity Guidance

Despite the attention now being paid to cybersecurity for critical infrastructure, federal regulations outlining cybersecurity measures for utilities still don’t exist. But positive action is being taken. The Department of Energy in March announced funding of up to $70 million to support early-stage research for advancing cybersecurity in energy-efficient manufacturing.

Click the banner below to dig deeper into ransomeware defense guidance from CDW.

Also, in March, the U.S. Government Accountability Office issued a report to Congress recommending action by DOE to fully address risks to electrical distribution systems.

In its report, the GAO stated, “The U.S. grid’s distribution systems — which carry electricity from transmission systems to consumers and are regulated primarily by states — are increasingly at risk from cyberattacks. Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks. As a result, threat actors can use multiple techniques to access those systems and potentially disrupt operations.”

Federal Agencies Take Steps to Improve Security for Utilities

According to GAO, the distribution utilities included in its review generally are not subject to mandatory federal cybersecurity standards, but they had taken actions intended to improve the cybersecurity of their systems. “These actions included incorporating cybersecurity into routine oversight processes and hiring dedicated cybersecurity personnel. Federal agencies have supported these actions by, for example, providing cybersecurity training and guidance,” such as the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Workforce Training Guide, which was released in August.  

As the lead federal agency for the energy sector, GAO said, “DOE has developed plans to implement the national cybersecurity strategy for the grid, but these plans do not fully address risks to the grid’s distribution systems. For example, DOE’s plans do not address distribution systems’ vulnerabilities related to supply chains.”

MORE FOR UTILITIES: What the energy sector needs to know about identity access management,

According to officials, DOE has not fully addressed such risks in its plans because it has prioritized risks to the grid’s generation and transmission systems. Unless the agency does so, however, its plans will likely be of limited use in prioritizing federal support to states and industry to improve grid distribution systems’ cybersecurity, leaving energy providers vulnerable to cyberattack.

Federal Agencies and Third-Party Providers Offer Assessments and Training 

In July, DOE announced an updated version of its Cybersecurity Capability Maturity Model (C2M2), “a tool designed to help companies of all types and sizes evaluate and improve their cybersecurity capabilities. The C2M2 updates address the evolving cyber threat and technology landscape. Today’s release of C2M2 V2.0 advances the Administration’s 100-day plan to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security.”

In addition to the updated assessment tool, DOE announced it is building security by design into all research and development from its national labs and across the department. “Finally, it’s critical that we empower today’s energy workforce with the skills they need to defend and protect the security of our energy systems. Through initiatives like DOE’s recently expanded cybersecurity workforce development program, CyberForce, we’re doing just that.”

Third-party service providers such as CDW can help with security assessments. The Cybersecurity and Infrastructure Security Agency (CISA) also conducts specialized security and resilience assessments. According to the agency, “these voluntary assessments assist CISA and its partners — federal, state, tribal, territorial governments and private industry — in better understanding and managing risk to critical infrastructure. The assessments examine infrastructure vulnerabilities, interdependencies, capability gaps, and the consequences of their disruption.”

perinjo/Getty Images