A recent report by Reps. Edward Markey (D-Mass.) and Henry Waxman (D-Calif.) referenced more than a dozen utility companies that acknowledged they experience daily persistent cyber attacks. Although statistically similar to companies in other sectors, there is more concern because a cyber attack on the U.S. energy sector has the potential to be economically devastating and lead to loss of lives.
Even though North American Electric Reliability Corporation (NERC) compliance standards forbid control systems being connected to consumer-facing or administrative networks, NERC’s reach only goes so far, leaving out oversight on important industries such as oil and gas. We hear regularly about “N” million credit card numbers hacked or “Q” million user credentials stolen, despite the fact that almost all of the affected companies were PCI compliant.
When utilities start thinking that compliance = security, that’s a problem. Compliance is a great place to begin the security conversation, but organizations need to go further than what’s mandated. When we think of legacy hardware out in the field that a) need to be connected to the Internet to receive up-to-date antivirus protection, or b) are not connected to the Internet and therefore have static protection, we have to ask ourselves if these systems are really protected at all.
A pipeline, for instance, has a variety of control points that can potentially be accessed remotely or manually. We already know that with Stuxnet cyber attackers were able to reach an air-gapped network and cause damage. Once a highly successful attack like that happens, the tactics in play become widely understood, and potentially embraced by others. Night Dragon, for another example, was a series of cyber-espionage attacks on oil and gas systems that persistently exfiltrated data. So the ability is out there to attack all facets of the U.S. energy sector, whether it’s corrupting the refining process, stopping a drill or causing a blackout – the only thing missing is the motivation for resourced and skilled attackers to target these systems.
In my talks with security professionals across the energy sector, there’s no doubt that they’re intimidated by the challenge of implementing next-gen security and doing it efficiently. The network architecture and hardware behind much of the energy infrastructure was developed before sophisticated cyber attacks were the reality they are today. It’s not a simple matter of throwing a few million dollars at it here and there and the problems suddenly go away. There are vast, sweeping changes necessary and they are not all technological in nature.
An organization’s security posture in large part takes root from its internal culture. Running a utility poses a different set of challenges than the average enterprise. Availability trumps all other concerns. The view of what technology is proven, what technology isn’t proven, and the risks associated with trying something new is significantly different from the average enterprise. There are many engineers that would be more comfortable having a control system based on an Intel 486DX2 running Windows 2000, then a Raspberry Pi running SELinux. The former has well over 10 years in production environments and a proven track record (stop laughing), while the latter is something college kids use to make Internet-controlled vending machines. There is valid logic to that, but it’s simply not in line with the current reality. The security culture needs to change.
The fear is that it will take a catastrophic event to drive the widespread adoption of more effective security solutions. The hope is that the current wave of espionage hacks and the resulting response will drive change before we see a wave of sabotage hacks. One thing is certain: We cannot ignore these problems.