FORUM: Managing cyber and technology threats in the energy & natural resources sector
November 2016 | SPECIAL REPORT: ENERGY & NATURAL RESOURCES
Financier Worldwide Magazine
FW moderates a discussion on managing cyber and technology threats in the energy & natural resources sector between Michel de Goede at Alliander, Gerald J. Ferguson at BakerHostetler, and Roberto Minicucci at GE Oil & Gas.
FW: Could you provide an insight into the extent of the cyber and technology threats currently facing companies in the energy & natural resources sector? Is this sector particularly vulnerable to attack, and if so, why?
Ferguson: The energy sector is increasingly a target of cyber attacks because it is an attractive target to politically motivated hackers and terrorists. A successful attack on the energy sector would have the ability to significantly harm the US economy. Energy companies are also subject to industrial espionage because energy companies rely on highly valuable proprietary information to maintain a competitive advantage. For the past three years, the Industrial Control System Cyber Emergency Response Team (ICS-CERT), which coordinates sharing of cyber incident response information among the federal government and industry, has identified the energy industry as the sector reporting the second highest amount of cyber attacks, after critical manufacturing. There are many examples of recent energy industry attacks. In 2009, Night Dragon involved global cyber attacks against oil & gas companies harvesting data on field operations, licensing bids and confidential projects. Operation Aurora, also in 2009, reportedly involved a foreign-power sponsored cyber espionage attempting to steal IP from major multinational oil & gas companies. In 2012, an attack known as Flamer involved malware burrowing into Iran’s oil ministry, severing internet links to rigs and the hub for nearly all the country’s crude exports, causing widespread data loss. The 2012 Shamoon attack involved malware which stole data and wiped files in an attack that disabled 30,000 terminals at Saudi Aramco, the national oil company of Saudi Arabia. In Ukraine in 2015, the national power utility’s control network was infected with malware causing widespread blackouts allegedly caused by a hostile foreign power.
de Goede: Starting last year, the Dutch National Cyber Security Centre (NCSC) and the Algemene Inlichtingen- en Veiligheidsdienst van Nederland (AIVD) have seen several trends. First, there seems to be an increased level of nation-state led activity. This is not only activity from a control perspective – with the objective that nations or groups can control Dutch electricity and gas grids – but also from an information perspective, to gain insights in commercial activities and operations. The latter, industrial espionage, is a serious trend receiving attention on a Dutch national level. Since it is very difficult for an individual company to ‘arm’ itself against nation-state activity, on both a Dutch (NCSC) and an EU level (ENCS), initiatives are in place for a coordinated approach. Secondly, professional criminals have upped their game, resulting in better financing and hence more long term plots and better trained staff to breach assets, information and networks. The trend of more and more cities abandoning the use of heating and cooking gas for newly built buildings, and the increasing number of households and organisations using de-centrally produced wind or solar energy, imply that the importance of a central grid as a target may continue to slowly decline. It seems that critical infrastructure-based companies receive less interest from organised crime, hacktivists and script kiddies than, for example, financial institutions and hospitals.
Minicucci: The risk depends on the value of the assets at stake, whether it is about business continuity or intellectual property, plus any potential reputational impact. Energy companies enjoyed a relative grace period until a few years ago, but now the big players see a lot of opportunity to increase their productivity and efficiency through connectivity, near-real time information, and digital technologies applied to oil & gas plants. These changes, along with opportunities, have increased exposure to security threats, therefore they must be appropriately designed, installed and operated. The energy sector must consider at least three vulnerabilities. Firstly, the assets being targeted have long lifecycles – around 20 to 25 years – which means little to no security was built in. Secondly, the energy sector suffers a cultural gap in that most operating people are not cyber aware, nor perceive the risk until an actual incident happens. Finally, the asymmetry of security means economic costs favour attackers, while it may be difficult to show ROI for defence.
FW: What are some of the common cyber and technology threats that companies in this sector need to identify and defend against? Should they assume a cyber attack is unavoidable – rather than just a possibility – and prepare accordingly?
de Goede: Attacks are so frequent that they are unavoidable. Resilience is what is necessary to, as much as possible, maintain production while under attack. In the electricity and gas distribution space, cables and tubes were usually designed to go from a central production facility to consumption points, either residential or commercial. The use of ring topology cable and tubing designs prevent all homes and organisations on one particular cable or tube from being out of energy all at the same time. This redundancy helps to reduce the potential impact of an attack to the level of a minor nuisance. Now, from a cyber perspective, network segmentation and isolation, in accordance with ISA 95, seems to be one of the standard answers to prevent intruders from reaching more than one system, or set of systems, in one go. As such, the effort necessary to reach operational installations in the field is elevated while the effect may be minimised by the grid’s ring design. This picture may, of course, be different for a central power production plant or an oil refinery than for a regional distribution system operator (DSO). In general though, a strategy that increases the intruder’s pain and minimises his gain from both a cyber and a physical layout perspective may be productive.
Minicucci: Preparation is fundamental. IT and operational technology (OT) teams must work together, especially in key areas, such as incident response, to ensure network and assets protection. One problem when analysing attacks against critical infrastructure is attributing them to threat actors. In many cases, these attacks go undetected for a year or more. However, we can say that there are technical and organisational threats. On the technical side, there is application security, such as weak or no authentication and poor least privilege principle enforcement during development. In terms of network security, we must focus on zone segmentation, no deep protocol level inspection enforced on firewalls, and so on. Finally, we must consider hardening and maintenance, such as disabling unneeded features and ports, and patch and AV management. On the organisational side, you have insider threat, portable media management, documentation, personnel awareness and supply chain. In addition, there are all the threats which traditionally affect the enterprise environment, because enterprise systems are used as an intermediate step toward the ICS/production environment and because more and more enterprise class devices and technologies are used in ICS, such as phishing, SQL injection and web based attacks. Any CISO should assume not only that an attack is unavoidable, but that it has already happened, and the network has been penetrated. The goal should be to minimise the impact of such a breach.
Ferguson: Like most other industries, the energy industry faces the threat of loss of sensitive information, such as confidential customer and employee information and trade secrets. The other serious threat that the energy industry faces is an attack on the computerised industrial control systems that operate essential equipment. These industrial control systems are increasingly connected to the internet and thus vulnerable to hackers or malware, causing the systems to operate in a dangerous manner. The computer controls of industrial control systems are at greater risk than systems that store data because for control systems, the top priority is reliability and availability, not security. Specific risks with industrial control systems include reliance on older versions of software that are more vulnerable to attack, service vendors with backdoor lines that increase exposure, and users who rely on default passwords that can be easily hacked.
FW: How should a company initially respond if it finds itself a victim of a cyber attack? What steps need to be taken from the outset to limit any damage and initiate contingency planning?
Minicucci: It is critical to be able to make fast decisions on what should and should not be done. There is no time for detailed analysis during a crisis. An effective response would require, firstly, having a clear picture of what is at stake. Companies must have an updated inventory of installed systems, including details on hardware and software components. This is critical and a well-known pain point in the ICS environment. They must also be able to detect that an incident has actually occurred – an area where the ICS world traditionally suffers from a lack of procedural and technical detection measures. Staff must also know who they need to contact. They must have resource contact information ready to go for incident response, which is a purely organisational concern. They must also know what actions to take, so the company should have a plan with everyone ready to execute their part. In any case it is fundamental to have an established relationship and agreed action plan with trusted partners, OEMs and suppliers. Depending on the case, a detailed root cause analysis can then be handled internally or by a specialised third party, which is usually a better option when the impact is significant.
Ferguson: A cyber attack can cause serious operational and reputational damage and lead to significant legal liabilities. To the extent customer or client information is compromised, it may be necessary to issue notices to affected individuals and regulators as required by state breach notification law. Notification obligations may also arise under third-party contracts. Effectively responding to a cyber attack requires immediate coordination among operation, IT, legal and communications teams, and possibly others depending on the nature of the incident. In my experience, such effective coordination only occurs where a company has put in place prior to the incident a cyber incident response plan that identifies the cyber incident response team and team leader and establishes standard protocols for responding to different categories of incidents. But the plan is of little use if it is simply a document on a shelf. The cyber incident response team should meet on a regular basis – at least once a year – to review laws and regulations relevant to their business and to practice responding to hypothetical incidents. Effective response may require relying on outside vendors, such as forensics, legal and crisis communications. Agreements with the necessary vendors should be in place and these vendors should be identified in the plan. If a company is interviewing and negotiating a contract with key vendors after an incident has occurred, the risk is significantly increased that the incident will not end well.
de Goede: Being able to recognise that one is under attack is the starting point. The design of business processes, primary plant functionality, secondary systems such as ICS, and IT should all allow for maximum monitoring and ‘non-obvious’ pattern recognition. Steps that aim to introduce, for example, an APT or ransomware may be observed before actual damage has been incurred. Again, a strategy of isolation and segmentation may prove productive to avoid cross contamination and keep the results of an attack local. But to really have contingency planning up to date, the security organisation should think and act like hackers. Only then can the playbook have more than one path to restore most of the under-attack situations back to business as usual as soon as possible. Publicly funded companies are a rather fundamental part of society; just imagine life without electricity or gas for a few days. Therefore, it would be helpful if we all, as society, were to think and act in a manner that helps advance the resiliency of our energy supply, be it for our own home or office, or on a larger scale.
FW: To what extent could improvements to industrial control systems (ICS) help companies in this sector to mitigate or even prevent the risks they face? Do ICS systems generally require significant reconfiguration to withstand the increasingly sophisticated cyber and technology threats that exist today?
de Goede: ICS is still the Achilles’ heel of operational technology. There are numerous solutions to either reduce the risk they form or to mitigate any risk they introduce to neighbouring systems, such as communication protection and isolation or segmentation. Additionally, it would help if functional updates could be separated from security patches and updates plus if they had shorter lifecycles so they could stay on par with the latest technology. But physical access protection may even be of more importance than improvements to the IC systems themselves. If strategies aiming to lower potential gains and impact on the one hand, and increased effort and risk necessary to obtain these gains for criminals, hacktivists, script kiddies, nation states or rogue employees are not successful in reducing the level of interest, then some of the older IC systems should be replaced.
Ferguson: The US Department of Energy has identified steps that every company should be taking to maintain a high level of cyber security readiness. First, prioritise the critical infrastructure that should be protected. Second, identify appropriate scope of a risk assessment of this critical infrastructure. Third, create a current security profile. Fourth, have a ‘risk assessment’ conducted by a qualified third party. Fifth, create a target profile to achieve based on risk assessments. Sixth, determine, analyse and prioritise gaps in cyber security revealed by the assessments. Finally, implement an action plan to improve cyber security. While the specific improvements will depend on the equipment involved, in every instance companies should be deploying monitoring equipment and software that can assist in identifying that a cyber attack has occurred. No cyber defence is impenetrable and effective response requires early detection of attacks as they occur.
Minicucci: As the industry takes advantage of the benefits digital has to offer, most manufacturers in recent years have started considering security more seriously and have included security system capabilities by-design in their ICS systems, in an effort to support a layered defence approach, which is what the industry and security community consider to be most effective. The ultimate defence layer must reside in the design of the component itself – for example, integrity checks, traffic pattern baselining and trusted platform module (TPM) approaches. The same focus must be kept during the lifecycle of the ICS system, until commissioning is completed. All parties need to be on the same page with regard to security to ensure secure installation and operation of the overall automation solution. Reconfiguration is sometimes possible, but, especially with older systems, only some compensating technical and procedural measures can be implemented. Most of the time, a system upgrade is required if higher security is needed.
FW: How important is it for boards and senior management to have a thorough understanding of the issues surrounding cyber and technology threats? In your opinion, does the topic receive sufficient attention and resource allocation, so that this knowledge gap can be closed?
Ferguson: The NIST Cyber-Security Framework, which is increasingly cited as an industry standard for critical infrastructure companies, makes it clear that a company’s cyber defence strategy must be managed under the direction of senior management and the board. The increasing occurrence of suits against directors and officers after a cyber security incident illustrates that when senior management and the board simply delegate cyber security to the IT department without providing guidance and supervision, they do so at their peril. In my experience, boards and senior management are increasingly recognising this responsibility and increasing their supervisory role over cyber security. At a minimum, the board should be receiving regular reporting from management on cyber security and evaluating privacy and security budgets. Best practices include establishing a risk committee oraudit committee, educating current directors, and evaluating whether the company has appropriate privacy and security roles such as a chief information security officer and chief privacy officer. Senior management and the board should also address risk shifting through cyber insurance.
Minicucci: It is crucial to ensure support at board level. Senior management understand risk, and usually manage it through an enterprise risk management process, but they deal with a universe of risks. It is our goal, as security professionals, to ensure that cyber security is brought at the board level as just another risk, not as an exception or when incidents happen. To be effective, firstly, keep the message simple – you want to be understood. Also, put things in context. You need to speak the language and reframe the recommendations from a product profitability standpoint – for example, delayed invoicing due to incidents during commissioning or lost bids due to missing documentation or certifications. Most companies in the oil & gas vertical have increased their budget and commitment to ICS security, which is a good start, but it is important to keep the focus, as many industrial companies are evolving toward becoming digital industrial companies, if they want to succeed. Security is not just an IT issue, nor just an operations issue. It begins in the boardroom and continues down through each and every employee in the organisation.
de Goede: Due to the roll-out of smart meters, EV charging infrastructure, solar and wind energy production and the IoT, both the privacy risk and the risk of un-trusted connections are high on the corporate agenda for utility companies. This means that they do get a serious amount of board attention, as well as the budgets to match. It also means that the board has sufficient knowledge to understand the gross and residual risks involved, as well as the potential measures and the budgetary consequences thereof.
FW: Immediately following a cyber attack or breach, how should a company go about communicating the situation to suppliers and other business partners to maintain confidence and credibility? Are there any specific communication channels that should be utilised or avoided in this regard?
Minicucci: Between suppliers, acquirer, partners and customers, there should be an established communication framework, with clear details on what needs to be communicated and how. Also, depending on the data compromised, or assumed to be, different state law obligations may apply and require different actions. First, state your commitment to security and privacy. You must also be candid about the incident without revealing confidential information or too many details. You should also outline the impact, or assumed impact, of the breach. You must explain what is being done to resolve the issue, immediate actions and plans, and what actions are required by suppliers and partners. Efforts must be made to reiterate your commitment to supporting customers and staying on the forefront of preventing future breaches. Finally you should be prepared to answer questions in a consistent, unambiguous way, through predefined channels.
de Goede: In the Netherlands, openness and direct communication to all stakeholders and parties involved are default operating procedures for critical infrastructure. On the one hand, this allows attack patterns to be recognised on a national or even supranational level, whereas on the other hand unnecessary collateral damage might be avoided as other parties and the general public have been alerted in a timely manner.
Ferguson: It is important to have in place a cyber incident response team that includes operations personnel and communications professionals. There is no one protocol that is the right communication strategy for cyber incidents. The right communication strategy will depend on the nature of the incident. Incidents involving a compromise of personal information may involve legally mandated communications to affected individuals. Contracts may dictate the nature and timing of communication to third parties. As a general rule, key business partners should not be finding out about an incident through a published report or form letter. The communication to this business partner should come from an individual with a history of working with this business partner and who will be sensitive to their concerns. One role of the incident response team is to identify the individuals who will be engaging in this communication and providing them with talking points.
FW: How do you envisage cyber and technology threats developing over the coming months and years, in terms of their impact on the energy & natural resources sector? With this in mind, what final piece of advice would you give to companies on mitigating such risks?
Ferguson: In recent years, we have seen increasing cyber activity directed at the energy industry by state sponsored actors. In many instances, these state sponsored actors are not seeking immediate access to information or control of a system, but rather are seeking to establish access to a system that could be activated in the future. In essence, much of the activity we are seeing could be characterised as reconnaissance for a future cyber war. If the US did find itself in open hostilities with another country, there is little doubt that the hostile foreign power would want to undermine the US by attacking its energy infrastructure. This long-term threat underscores why it is essential for energy industry companies to be engaging in targeted risk assessment on a regular basis and deploying detection systems that can identify a ‘sleeping’ cyber theat.
de Goede: We would expect the activity of nation state led intrusion to keep growing and organised crime to further professionalise. We would also expect that the interest of organised crime in a DSO might be somewhat lower than for hospitals or financial institutions for example, as in these organisations the pressure and potential impact is high: therefore, criminal activity may lead to gains more easily.
Minicucci: Energy companies are investing a lot in convergence between machines, software and connectivity, with the purpose of creating more value for their customers. This brings all the challenges and opportunities of any big change. Security is no different. It is going to be more and more important, and likewise needs be thought of not just as a risk, but also as an opportunity. By having the right programmes and processes in place, cyber security can be approached in a structured manner. Firstly, ensure that cyber risk is treated as an enterprise risk. Secondly, establish a cyber security culture, which approaches security holistically through attention to people, processes and technology. This includes cyber security policy, system secure development lifecycle, incident response plan, training, tools and more. Thirdly, create synergies with your existing IT team, leveraging expertise and consolidated processes and tools in some areas, such as incident response and connectivity. Finally, ensure that these procedures are ingrained into the engineering framework – they must be seen just as tasks to be completed, whether it is about supply chain cyber security checks, configuration, integration, FAT, commissioning, or any other phase as appropriate.
Michel de Goede is the strategy consultant at Alliander where he advises general and IT management about the consequences of market developments, investments, divestments and innovation in the digital space. Mr de Goede is also involved with international start-ups, M&A plans and due diligence or the creation of sound models for financial planning and valuation.
He can be contacted on +31 (0)615 159 459 or by email: email@example.com.
Gerald J. Ferguson assists clients in developing, protecting, and exploiting intellectual property, data and media assets. His diverse experience includes designing privacy and data protection programmes, managing legal compliance programmes for online business operations, responding to data security breaches, and developing intellectual property portfolios. His clients include online media companies, luxury goods brands, financial institutions, email and text marketers, and data analytics companies. He can be contacted on +1 (212) 589 4238 or by email: firstname.lastname@example.org.
Roberto Minicucci is a senior IT risk manager at GE Oil & Gas and works on a variety of topics including remote monitoring & diagnostics, secure development lifecycle, regulatory and standards compliance for industrial automation, supply chain risk management, security assessments, and training.
He can be contacted on +39 055 423 211 or by email: email@example.com.
© Financier Worldwide