Written by Lucas Zaichkowsky, Enterprise Defense Architect at AccessData
The energy industry is among the largest and most important industries in many industrialized nations. Of the ten largest companies in the world, seven are energy producers and/or related providers. The Middle East power sector is booming and is expected to grow at a rate of 7% over the next 10 years, according to the MENA Power report. Another report, published by the Kuwait Financial Centre in September 2013, notes that investments worth US$ 283 billion will be made in the energy industry between 2014 to 2018 to help Middle Eastern and North African countries cope with rising demand.
Because the energy industry possesses so much highly confidential and proprietary information and is integral to the health and vitality of the economies in which it operates, it represents an enormous target for cybercriminals. While energy companies need to adhere to a growing body of regulations focused on maintaining records and managing their business properly, the more immediate issue—and one that represents an imminent threat—is protecting the security of the wide range of assets that energy and related companies operate. This includes protecting against everything from malware that might enter the utility grid through a smart meter to government-sponsored cyber attacks designed to shut down nuclear power plants.
A Highly Vulnerable Industry
The energy industry presents unique attributes that make it more vulnerable than others to cyber attack. In fact, one source found that two-thirds of energy companies had experienced
some form of brute force attack—twice the percentage of companies in other industries.
Examples of areas of vulnerability include:
1. Abundance of Potential Ingress Points
There are millions of potential ingress points for malware, hacking attempts and other incursions—from legitimate employee use of the internet for normal day-to-day business activities, to the prevalence of BYOD and contractor access.
2. Vulnerable Smart Grid
The existing smart grid technology had originally been developed with the intention that it would stand apart, in locked industrial site and control centres—making it unavailable to
outside tampering. Those parameters have changed and now connecting that legacy technology to current technology opens it up to all kinds of hacks.
But who is doing the attacking? It might not be what you think. PWC found that while attacks backed by nation-states are making the headlines, utilities are more likely to be hit by other outsiders including:
- Activists/activist groups/hacktivists
- Organized crime
- Foreign entities/organizations
- Foreign nation states
According to a report by Alert Logic, 61 percent of energy and utility executives consider security to currently be a big problem for the smart grid and 64 percent believed that the grid is not prepared for security threats.
- The risks of cyber attack in the energy industry are enormous and are by no means a new phenomenon, as illustrated by the following examples:
- In 2012, Saudi Aramco was attacked by hackers who were able to infect 30,000 of the company’s computers with the Shamoon worm. Although gas and oil production was not disrupted, the company’s networks were brought down by the attack.
- Only days after the attack on Saudi Aramco, computer systems at Qatari energy firm RasGas were taken offline by a computer virus. Although production was not hit by the attack, it forced the firm to shut down its website and email systems.
- The Stuxnet worm, first discovered in June 2010 and most likely a US and Israeli attempt to disrupt the Iranian nuclear program, clearly demonstrated that worms and related types of malware can successfully infiltrate programmable logic controllers or other types of hardware and cause significant damage. One source estimated that 20% of Iran’s centrifuges were destroyed by Stuxnet.
- The importance of Stuxnet in the context of potential power plant, oil refinery and other energy-related security should not be underestimated. Not only can this type of malware alter the operation of key control systems with potentially disastrous consequences, a Stuxnet-like worm has already done so. In October 2012, a contractor at a US power plant accidentally infected a turbine control system with a worm delivered via a USB drive and took the power plant offline for three weeks.
- AnonGhost, a politically motivated group of hacktivists, in June this year issued a warning saying that is planning to launch cyber attacks on energy companies globally, including Adnoc and Enoc in the UAE, for using the dollar in oil trades.
- In a 2013 report, one electric utility reports that it endures roughly 10,000 attempted cyber intrusions on a monthly basis
Dealing with highly focused and highly skilled attackers who perpetrate sophisticated incursions into the energy infrastructure, requires a robust and integrated set of capabilities. To prevent such incidents from occurring, energy organizations in the Middle East need to detect cybercriminal activity and respond quickly to suspicious behaviour and resolve the issue at hand. For this they need to implement IT security solutions that integrate network, endpoint and malware analysis, threat intelligence and remediation capabilities and don’t just deliver rapid detection and response, but continuous automated incident resolution. When evaluating security technologies, energy companies should make sure the solution has the following capabilities:
- Ability to identify suspicious binary files based on their unusual behaviour even in the absence of signatures that have been designed to detect known malware.
- Ability to isolate and examine suspect code without the use of sandboxing, dynamic analysis or traditional heuristic analysis.
- Ability to determine the presence of malware and whether or not it has already executed on infected machines.
- Ability to monitor and analyze the behaviour of mobile devices that are used by employees.
- Ability to automate the malware triage process and quickly identify, isolate and remediate cyber attacks, malware incursions, data leaks and other threats more quickly than is possible with manual processes.
- Ability to measure the security team’s efficiency with key performance indicators such as Mean Time to Validate (MTV) and Mean Time to Respond (MTR).