Managing a nationwide system of assets providing power generation, transmission, and distribution, which underpin the energy sector, can be a challenging endeavor. Particularly when you take into account the vast array of modern and legacy technologies that may not work in harmony together. For energy professionals, the stakes could not be higher. Prolonged outages as a result of a cyberattack have the potential to cause loss of life, disrupt the economy, and impact national security.
The energy sector has always been at the forefront of emerging technology, global economics, and the intense competitive environment that emerges in the overlaps between the two. As a result, the industry has seen the rapid fielding of complex systems designed to deliver energy, develop technology, monitor the grid, increase efficiencies, and meet the increasing power demands of the private and public sectors. These systems, and their unprecedented reliance on technology and network connectivity, present huge opportunities and introduce tremendous risk if not properly secured and monitored.
Asset Visibility and Detection
The complexity of this environment in terms of the physical and cyber infrastructure, geographically distributed areas throughout the U.S., and the various actors and organizations that both use and seek to exploit the system, means that visibility must be equally multi-faceted. Far too many organizations take a lopsided approach to security, focusing solely on vulnerabilities and taking an agnostic approach to threats in order to assess risk.
Facility-specific threat intelligence integrated with vulnerability management and asset visibility will provide stakeholders and decision-makers with an accurate risk assessment of their infrastructure. Furthermore, this will allow for a greater defense-in-depth oriented design of detection and countermeasures. Network security cannot rely solely on a perimeter or a single point for safety, in much the same way a power plant or substation cannot rely solely on a fence or a door to keep intruders out. Being able to hunt for threats throughout a network, detect issues early on in their lifecycle, and mount an effective and thorough response quickly are vital components of cybersecurity in today’s complex environments.
Adopting a proactive approach to security in operational technology/industrial control systems environments is critical to managing risk. This is true because the cost of reactive response is too high, potentially measured in terms of outages affecting a broad range of critical services.
Energy service providers, utility companies, technology vendors, and commercial and government partners can all benefit from increasing visibility across networks and pairing that with targeted threat actor information in order to achieve a proactive risk management program. Having a better insight on the true composition of energy and energy-related assets decreases the likelihood of an undetected breach and shortens the dwell time of successful network compromises.
Importance of Understanding Cyber Threats
The first step to understanding risk is for organizations to have a detailed understanding of their infrastructure, assets, and essential business functions. From there, you can begin to define the threat environment, both in terms of adversaries’ intentions and their capabilities, as well as how they can disrupt your essential functions through cyberattacks. This combined risk profile allows organizations to tailor their security posture not just to industry best practices, but to facility and functional risk posture.
The security requirements will vary greatly from organization to organization depending on a large variety of factors such as criticality, vulnerability, and essential business function. These requirements are further affected by problems of geography, politics, technology, market forces, and many others. No single variable can provide a complete definition, though getting a firm grasp on those variables can allow for more effective prioritization and better responsiveness to threats as they ebb and flow.
For example, a service provider in one part of the world using a specific technology, say a liquid natural gas power company in Eastern Europe, does not have the same threat environment as a nuclear plant in North America. Furthermore, a research institution developing solar panel technology and a shipping company moving oil aren’t likely to experience the same bad actors or the same attack vectors.
The very complexity of the modern energy ecosystem makes it difficult for the same attacker to target the entire industry, meaning that multiple attackers can approach their targets in a nearly infinite number of ways. While industry best practices are a starting point, organizations cannot rely upon them alone. Taking the time to understand how the specific geographic location, infrastructure, and critical functions can be impacted by specific threat actors will allow organizations to have more efficient and more effective defenses.
Planning for the Future
As energy cyber infrastructure continues to expand in size, scope, and capability, new technologies like artificial intelligence, robotic process automation, and autonomous vehicles and platforms will be required to achieve maximum efficiency and manage the scale of the processes and technology involved. These technologies will give rise to equally novel and emerging threats.
Malicious actors in the cyber realm will always continue to develop ways to exploit technology at the same pace we can find new uses for it. Every new solution can present new problems if we are not thinking on both the blue and red sides of the equation as we develop, procure, field, and operate new software, hardware, systems, and networks.
Modern supply chains, no matter the industry, have components and supporting functions spread throughout geography and industry. Whether it be hardware, software, platforms, human systems, or raw materials, your business operations and networks will be at risk from cyber actors targeting them. Conducting cyber threat centric assessments of your business processes and those of your supplier/enabler relationships will be an essential activity for organizations in the future.
—Jason Atwell is the Senior Intelligence Expert for Mandiant’s Strategic Intelligence and Government Practice.