Cyber Security in the Utilities Industry

The energy industry important to includes cyber security of companies producing renewable fuels such as coal, oil, natural gas, nuclear and geothermal, hydro, solar and wind. The sector is responsible for generating, storing, transporting and distributing energy through a complex network of dams, reservoirs, pipelines and grids.

All aspects of the U.S. economy depend on energy, and this reliance on uninterrupted power and fuel makes the industry vulnerable to kinetic energy and cyber threats. Presidential Policy Directive 21 identifies the energy sector as uniquely critical because it provides an “enablement function” for all critical infrastructure sectors.

Almost everything we do and every decision we make depends on the availability and price of energy. How we travel, what we eat, the temperature in our homes, and where and how we work. Affordable energy makes our lives better.

In the United States, energy accounts for about 9 percent of gross domestic product (GDP). That means the energy industry contributes about $1 trillion to our economy every year. As a financial sector—the aggregate of all energy-related industries—energy ranks fourth in the U.S. economy after communications services, consumer staples, and consumer staples.

The energy industry employs approximately 6.8 million people. That means 4.6% of the U.S. workforce is in jobs related to energy production or delivery to the country. This guide provides insight into the role of cyber security in the energy industry, the challenges security professionals face in securing critical infrastructure, and some solutions and strategies for mitigating cyber threats in the industry.

Cyber security in the Energy Industry

In 2018, the U.S. Department of Energy (DOE) created the Office of Cyber security, Energy Security and Emergency Response (CESER). The CESER blueprint states that the agency’s purpose is to fulfill the Department of Energy’s responsibility for energy security and to protect critical energy infrastructure from growing and evolving cyber and physical threats.

DOE recognizes that it cannot assume this responsibility alone. Its mission is to build partnerships among a wide range of stakeholders, including all levels of government, the private sector and academia.

The mission of the Cyber security and Infrastructure Security Agency (CISA) is to strengthen the security of the cyber ecosystem to protect critical services and the way Americans live. The agency’s National Risk Management Center (NRMC) works closely with the critical infrastructure community to identify and analyze the risks facing our nation and to strategically guide security efforts.

Energy industry companies face cyber risks from vulnerabilities related to their IT systems, OT infrastructure and supply chain partners. IT systems include the software, hardware, and technology used to collect and process data necessary for a company’s business operations. OT infrastructure includes the software, hardware, and technology needed to control physical devices such as pumps, motors, valves, and switches.

Examining attacks and breaches occurring in the energy industry highlights the importance of protecting the vast ecosystem of energy industry supply chains. Energy companies obtain information, hardware, software and various services from third parties around the world. Threat actors can introduce compromised components into a system or network at any point in the system’s lifecycle.

Supply chain disruptions are sometimes carried out inadvertently in the form of elements that do not meet current security standards, or intentionally as part of a covert effort to facilitate future attacks. Attacks can be carried out through software updates or “patches” downloaded from energy companies or through firmware that attackers can manipulate to inject malicious code for later exploitation. Attackers can also compromise hardware that energy companies have installed in their facilities.

Dragonfly ICS Cyber ​​Attacks – As part of an expanded campaign in 2016 and 2017, an advanced persistent threat group called Dragonfly targeted government agencies as well as energy, water, aviation, nuclear, and critical manufacturing sectors. Dragonfly penetrated trusted third-party organizations with low cyber security levels. They use these suppliers as a staging platform to enter their expected energy company goals.

Ransomware attacks against gas, oil and power companies – In April 2018, an unknown actor launched a ransomware attack against multiple natural gas pipeline companies. Five of these companies had to close or downsize their operations. It is unknown if the ransom was paid.

NotPetya – In 2017, an alleged state-sponsored malicious group hacked into the servers of a Ukrainian accounting software provider and sent corrupted software updates to its customers. A ransomware-like virus called NotPetya has spread across the globe, crippling multiple industries, including energy, and causing over $10 billion in damage. This attack shows how supply chain vulnerabilities affect entire industries around the world.

An energy company not only needs to secure its IT network and his OT infrastructure, but also needs to understand the cyber maturity and security processes of its supply chain. Energy companies should conduct vendor risk assessments and gather information on an ongoing basis, either in-house or through specialized cyber security firms and consultants.

Case Study:

Colonial Pipeline ransomware attack

On May 7, 2021, hackers accessed and locked an estimated 100 gigabytes of data from the Colonial Pipeline IT network, rendering the company incapable of operating critical systems needed to transport fuel. The Colonial Pipeline is the largest refined petroleum products pipeline system in the United States. The two he will consist of 5,500 miles of tubing to transport 3 million barrels (about 100 million gallons) of fuel per day to 260 delivery points in his 13 states between Texas and New York. I can. This ransomware attack, attributed by the FBI to an Eastern European hacker group called Darkside, shut off 45% of the East Coast’s fuel for six days. The resulting panic buying and market reaction pushed gas prices to their highest levels in more than six years, lengthening gas supply lines and leaving thousands of gas stations and consumers without fuel.

In a highly controversial decision, Colonial Pipeline CEO Joseph Blount approved a $4.4 million ransom payment. It is widely believed that paying the ransom will only increase the threat of ransomware to everyone, with other hacking groups following suit. Cybercriminals often do not release encrypted data even after paying the ransom. In this case, Darkside appears to have provided a means of decrypting the data, but the results were only marginally helpful.

In a memo that could be interpreted as post-attack reflection, Darkseid admitted that he never thought the outcome of the attack would matter as much as it did. He said he exercised a lot of discretion.

It is not yet known how the attack was carried out. Colonial hired a cyber security consultancy to investigate how Darkseid was able to access their systems.

What are the cyber security challenges in the energy industry? Three key characteristics make the energy sector particularly vulnerable to cyber threats. Energy companies are easy targets for both state adversaries and commercial cybercriminals. Utilities stem from difficult to protect and geographically dispersed locations (hydroelectric and coal-fired power plants are two good examples) and complex supply chain relationships with third parties and his suppliers. and the attack surface continues to expand. Finally, electric and gas companies have unique dependencies between their physical and cyber infrastructure, making their OT infrastructure and IT networks highly vulnerable to attacks.

As our energy infrastructure is a key target for the nation, the United States is seeing an increase in the frequency and sophistication of cyber threats deployed against this sector. Unlike kinetic warfare, in which an attack by an enemy against U.S. interests insures swift and decisive retaliation, today’s enemies of nations hide behind the near-impossible probability of 100% accurate attribution. . They know the United States is unlikely to retaliate in any meaningful way without specific attribution.

Protecting a multi-threat environment with geographically dispersed targets is difficult. Added to this are the complexities of a mixed privately and publicly owned industry and third party relationships that span all geographic boundaries. It becomes clear why partnerships between the companies involved are important in this industry. No single government or private organization can protect all the different companies that make up the energy industry. It requires the voluntary and active participation of all concerned.

The final layer of complex cyber security challenges for engineering departments lies in the interdependence of the many components that make up the industry. For example, the smart grid ensures that all users have enough power, so a power outage in one region can affect the power supply in another part of the country.

The global shortage of skilled cyber security professionals makes it difficult to meet the challenges of today’s energy industry. America needs well-trained cyber security professionals. These professionals are needed by both the private sector and government to protect critical infrastructure assets. CISA and DOE strongly reaffirmed their commitment to strengthening the national cyber security force by working to normalize roles and ensure well-trained staff.

Cyber ​​Security Solutions for the Energy Industry

The critical nature of the networks, systems, and devices required to make the modern energy industry function, combined with the unique security challenges facing this sector, have led to the deployment of superior cyber security solutions. It means you need a strategy. There is always a balance between safety and comfort. For energy-critical infrastructure, comfort is sacrificed, but scale consistently points in the direction of safety.

Virtual Dispersive Networking (VDN) – VDN technology splits network messages into multiple parts and encrypts each component separately. A VDN routes these message components to numerous servers, computers, and even mobile phones. Distributing data along many different paths in this way eliminates the possibility of man-in-the-middle attacks. This is because hackers can only retrieve a small portion of the original data along a particular path. This protection strategy renders all received data meaningless and nearly impossible to decipher by anyone other than the intended recipient.

Hardware Authentication − Hardware authentication is an approach to user authentication that is especially useful for her geographically dispersed OT network. This protection strategy relies on a dedicated physical device (such as a token) held by an authorized user in addition to a primary password that grants access to computing resources. While not as convenient as other authentication methods, the critical nature of energy industry equipment goes far beyond the need for a simple user login.

User Behavior Analytics (UBA) – Much like advanced analytics to identify packet content inside firewalls and antivirus software analyzes file systems, UBA looks at user behavior. By carefully examining how users typically interact with a particular system, UBA can detect objectionable or suspicious behavior. Much more sophisticated, but a good example is analyzing how quickly users navigate system prompts and the paths they take to access sensitive information. UBA is constantly improving its accuracy by using machine learning techniques to understand the intent behind user behavior.

Protecting America’s energy industry from cyberattacks and other risks is a top priority for the Department of Energy. In March 2018, the DOE announced a multi-year plan for cyber security in the energy sector[2]. This guidance document is designed to better align critical cyber operations within the Department of Energy with other key infrastructure cyber security personnel. It outlines an integrated strategy for reducing cyber risk in the energy industry by pursuing high-priority actions aligned with other DOE offices and federal government strategies, plans, and activities.

Recognizing that strategies to anticipate and respond to modern cyberthreats are inefficient, ineffective, and unsustainable, DOE takes a two-pronged approach. Powering today’s energy supply system by driving continuous improvement.

Develop breakthrough solutions that create inherently safe, resilient and self-protecting power systems.

DOE’s cyber security strategy is aligned with the objectives of Executive Order 13800. It directs all federal agencies to use their powers and capabilities to support cyber risk management by critical infrastructure owners and operators.

Conclusion

The security of our nation’s energy industry is essential to our economy and way of life. The industry is a highly complex network of private and public institutions, each with its own leadership and goals. Several government departments and agencies are involved in setting and enforcing security and cyber security standards.

While there have been physical attacks in this sector, the 2013 attack on the California Pacific Gas & Electric Metcalf substation, for example, has largely resulted from cyber vulnerabilities in the threats to the industry. Both cybercriminals and nation-state villains see the energy industry as a prime target.

Opportunities for cyber security professionals exist across the industry. Government agencies are always looking for employees with cyber security skills and experience. Private sector operators of energy and pipeline companies need best security practices and technology solutions.