Raj Samani, Chief Scientist and Fellow at McAfee, shares his wealth of knowledge and best practice advice on how organisations can ensure they are protecting their operations and managing risk in the energy supply chain, and how to best detect and avoid breaches.
Given its major role in the nation’s infrastructure, what unique challenges does the energy sector face?
The energy sector has always faced unique challenges – these range from the continuous demand for resources, to the niche skills needed to apply security to the systems used in the industry. In addition to this, the nature of the systems in place across the industry often requires a set of skills that aren’t always readily available within a traditional cybersecurity skills market.
Are there any real-life examples of what a potential threat looks like in the sector?
Over the past decade, we’ve seen some potentially risky scenarios become reality. Take the Nantanz nuclear site in Iran, for example – in 2010; it uncovered a Stuxnet worm infection which was a significant cybersecurity threat. Another example of threats targeting Operational Technologies (OT) was the 2015 attack against the Ukrainian Power Grid, as the political situation in Ukraine escalated.
More recently, the industry has also experienced ransomware threats towards critical national infrastructure (CNI). A key example being the RagnarLocker attack on the energy sector earlier this year – £11.7 million ransom was demanded in exchange for 10Tb of sensitive information. Even though these attacks target the IT network, we’ve also seen cases of ransomware attacks focusing on production facilities.
During the current COVID-19 crisis, have any of these scenarios changed?
The typically remote nature of cyberattacks means they don’t strictly require physical interaction. There are some instances where cybercriminals will turn to platforms such as a USB entry point vector – but on the whole, the industry remains remote. As a result, the cybercrime industry has continued operating throughout the COVID crisis.
If anything, cybercriminals have instead profited from exploiting the pandemic with their attacks. Our researchers notably detected an average of 375 new threats per minute during COVID-lockdowns, with vertical sectors seeing major increases in cloud threats and attack risks. For example, the manufacturing sector alone saw a 679% increase in internal and external threat events in their cloud accounts.
There are, however, certain cases where a physical vector is still used and security teams must remain vigilant on this. For example, the Tesla ransomware attack was uncovered using a USB as an initial vector.
How can security teams manage risks in the energy supply chain?
When looking to manage and mitigate risks in the energy supply chain, teams could turn towards the Digital Bill of Materials (DBOM), which provides full digital associativity across all organisations involved in engineering, supply chain, manufacturing, sales and service. By engaging with the CNI, organisations can ensure that the necessary transparency throughout the supply chain is achieved, as well as optimising the visibility of potential vulnerabilities.
A level of transparency and accountability should also be applied more broadly to ensure best practice across the board – especially as increasing numbers of organisations in the supply chain adopt IoT and cloud-native devices. A shared responsibility model of security is important here. This involves a layered defence where organisations address each part of the ‘stack of responsibility’ individually, yet they all interact together as a complete framework.
Throughout the energy supply chain, from service providers to enterprises and individual users, everyone is accountable for security in some way, and with the shared responsibility model, organisations can ensure that everyone does their part.
Failing to adopt a shared responsibility model will ultimately lead to a higher level of risk and poorer overall security. Without a clear understanding of responsibility and a collaborative approach, IT will not have a comprehensive view of systems required to keep track of all data and potential threats. Limited visibility means limited security.
Should teams be testing Industrial Control Systems regularly for vulnerabilities – and are there any potential challenges when testing?
Definitely. Responsible testing should happen regularly to ensure that teams are on top of any potential threats. Not only should testing happen, but it should also be encouraged and rewarded throughout the sector, such as through bug bounty programmes.
When considering challenges here, testing the interconnectivity between production systems can sometimes be trickier, especially in cases where uptime is continuously required.
Are there any specific processes or tools that organisations should adopt to reduce the risk of insider threats?
Asking routine questions when monitoring operations is crucial, such as ‘does this activity match with usual operations practices?’ As well as questioning outsider behaviours, this should also apply to insider activity. For example, security teams should look into insider attempts to access unauthorised assets. This will help them to identify any unusual activity or anomalies and flag any potential threats.
How can organisations best detect and respond to breaches?
It’s key that teams have a comprehensive understanding of the overall energy sector, as well as the production environment within it, to ensure optimal governance.
In Operational Technology (OT) spaces specifically, it’s essential to use consistently reliable technologies to mitigate the risk of an outage. Data diodes, for example, play a vital role in separating different network segments.
How can organisations ensure that the personal data of customers is protected?
Our recent research showed that 52% of companies using cloud services have had user data stolen in a breach – highlighting that data security is as crucial as ever.
When it comes to customer data, organisations need to have reasonable measures in place. Self-questioning around whether existing measures meet the necessary standards and regulations is vital. Organisations need to challenge themselves and hold themselves accountable for the protection of data.