The energy and utilities sectors are very much a part of our critical national infrastructure and vital to national security. While installations are at threat from physical attacks, and natural disasters such as floods and earthquakes, it is the increasing threat of cyber attacks from criminal and state-sponsored terrorist groups that that have hit the recent headlines. According to international insurer Hiscox in its 2021 Cyber Readiness Report, the UK energy sector comes top of its Cyber Threat Ranking Table by industry and suffered the highest median losses.
Just how big these losses can be was highlighted on 7 May this year, when there was a cyber-attack on Colonial Pipeline, a firm headquartered in Georgia USA that supplies about 45% of the petrol and diesel used on the east coast. The company says that it transports over 100 million gallons of fuel daily across an area spanning Texas to New York. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. The hackers had stolen nearly 100 gigabytes of data and threatened to leak it if the ransom wasn’t paid
While the biggest and most high-profile attack on a pipeline, it wasn’t the first. Earlier this year, the US Cybersecurity & Infrastructure Security Agency (CISA) issued reports detailing a history of attacks against pipeline operations. At the same time, President Joe Biden signed an executive order aimed at boosting defences, having warned that attacks on CNI could lead to a ‘real shooting war’.
If you want to grasp the true potential for devastation from a cyber attack on an energy installation, you have to go back to 2009 when Stuxnet - a highly sophisticated computer worm developed by joint US and Israeli Intelligence, was deployed against the Natanz Nuclear Facility in Iran. It targeted centrifuges used to enrich uranium, instructing them to spin out of control and eventually break. Over a few years, about 20% of Iran’s centrifuges were destroyed and caused the Iranian nuclear program to be set back by years.
Closer to home and to underline that going green does make you immune from hackers, personal data on all 270,000 customers of Scotland-based renewable energy supplier People’s Energy were stolen in at the end of 2020. New research published in May 2021 from Veritas Technologies found that more than half of the utility industry’s companies suffered a cyberattack last year. The survey of 75 IT decision-makers also showed that nearly 64% of them suggest their organisation’s approach to dealing with cyberattacks could be improved.
Ransomware attacks seem to be one of the biggest threats that the UK utility sector faces – so it’s all about the data. For cyber criminals, ransomware is a low risk, high reward activity, with a virtually unlimited supply of potential victims. And the arrival of Ransomware-as-a-Service (RaaS) only serves to lower the bar to entry and increase the scale and volume of attacks. Ransomware attacks were also described as the key cyber threat facing UK businesses and organisations, by Lindy Cameron, the head of the National Cyber Security Centre (NCSC) in the recent annual security lecture to the Royal United Services Institute (RUSI) defence and security think tank. In her speech, Lindy Cameron stressed the importance of UK businesses and critical national infrastructure continuing to build its cyber resilience to stop attacks from reaching their targets.
But here lies the problem. Like most industries, the energy and utilities sectors have traditionally approached cyber security by trying to stop the cyber criminals and hackers getting in. Yet history tells us that it is impossible to stop every cybercriminal all of the time. The Colonial breach was the result of a single compromised password for a virtual private network account, which allowed employees to remotely access the company’s computer networks. So, if we can’t keep the cyber criminals out nor trust the people around us, we must rethink the traditional ‘castle and moat’ methods of protection and adopt a data centric approach, where security is built into data itself.
Full disk encryption will protect structured and unstructured data when it is at rest on a hard disk or USB stick, which is great if you lose your laptop but is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data therefore needs to be protected not only at rest, but also in transit and in use, on site or in the cloud.
But this is no easy task. In the 2020 IBM and Ponemon report, 67% of respondents said discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. Data classification technology is often used to identify ‘important’ or ‘sensitive’ data, but the report found that 31% cited classifying which data to encrypt as difficult. Then there is the question of where you set the ‘importance bar’? Even seemingly trivial information can be useful to a cybercriminal, since they are adept at amalgamating small pieces of data to form a bigger picture, to build a spear phishing attack for example.
A universal approach
So why is it that the accepted norm is to encrypt only the ‘most important’ or ‘sensitive’ data? The problem is that traditionally, encryption has been considered complex and costly and detrimental to performance and productivity. But with advances in the technology and fast processing speeds, seamless data encryption can now be used to protect all data – structured and unstructured. This way, classification for data security purposes becomes irrelevant and stolen information remains protected and useless to cyber criminals.
This approach also works with legacy systems, which are outdated but still do an essential job. Legacy systems were not designed to be exposed to public networks, but as staff, customers and suppliers need direct access to business processes, new online services have been built on top of this ageing technology. But when connected to the outside world, legacy system data - such as customer details, company operational data and intellectual property - becomes vulnerable as it travels from silo, through web-based applications to end users. But by protecting the data itself, these risks are mitigated.
Having seen the potential for massive disruption and damage, there is no doubt that the cyber criminals and state-sponsored terrorist groups have the energy and utilities companies in their crosshairs. So, unless we can take a different approach to cyber security and data protection, we can expect more trouble ahead
