Recently the city of Atlanta made headline news for reverting to filling out forms by hand due to a major ransomware attack, demonstrating clearly how vulnerable city offices are to cyber attacks. If the government offices of Atlanta can be hit, how vulnerable are public utilities and other critical features of city infrastructure?
According to a survey by Accenture, roughly 50% of energy companies globally believe there is a moderate but real risk of cyber attack in their countries within the next five years which would result in the disruption of energy supply. The Deputy Secretary of Infrastructure Security and Energy Restoration at the Department of Energy’s Office of Electricity Delivery and Energy Reliability, L. Devon Streit, has even said that “The most worrisome threat we face in the energy sector is cyber.”
Between 2011-2015, the U.S. Department of Homeland Security, had more than 350 cybersecurity incidents reported at energy companies, the majority of which involved a hacker taking—or attempting to take—over control of energy systems. In the same window, “the agency identified nearly 900 security vulnerabilities within U.S. energy companies, more than any other industry.” This comes as little surprise due to the bulk of the equipment having been designed without security features decades ago.
As this equipment is updated, it is sometimes connected to the internet without appropriate security oversight. This leaves critical and sensitive equipment exposed to hackers who could “mess with a refinery or cause a vessel to explode,” according to Richard Garcia, former FBI agent and current cybersecurity specialist.
Current laws don’t require oil and gas companies to report when they have been infiltrated by a hacker. When they are reported, “the specifics are typically kept secret because companies disclose information in exchange for anonymity and discretion,” which means no one really knows how often cyber attacks occur.
However, even with not all attacks being reported, numbers still show that since 2016 there have be an increase in cyberattacks on US energy facilities. As recently as March of 2018, reports have surfaced that a few well organized group of hackers have “launched an ongoing campaign of online attacks against U.S. energy, nuclear, water, aviation and manufacturing operations since at least March 2016.” Their aim has been to figure out how to control these vital utilities, establish backdoors, steal trade secrets, and “disrupt, degrade, or destroy” facilities.
Other groups of hackers across the US and Europe have been working since 2011 (including Dragonfly which went quiet for a few years but is back in action having launched major attacks in the US, Turkey, and Switzerland in 2017).
Attacks, which are becoming more and more frequent, have been successful due to networks lacking the proper security segmenting and basic firewall implementation, as well as other failures.
U.S. federal agencies stated that Russian hackers compromised the systems of some “operators in North America and Europe by spring 2017” and have been sitting at the controls since then. “From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation,” said Mr. Chien, a security technology director at Symantec, a digital security firm.
Cybersecurity firm Dragos has estimated “that computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year.” And further warned that the latest generation of worms could cause far greater damage.
At a global level , the World Energy Council reports that as energy companies have become easier targets, they have also become more desirable. In the last year, there has been a massive increase in successful cyberattacks against energy companies. “Energy companies must get used to the fact that cyber now poses the same kind of risk to large infrastructures as a flood or a fire.”
Recently, “the National Infrastructure Advisory Council (NIAC) published a draft report detailing the complex risks associated with critical infrastructure sectors,” and “made 11 specific recommendations, including the establishment of specific network paths and reserved spectrum for backup communications during emergencies.”
In the US, the Office of Electricity Delivery and Energy Reliability’s top priority is making the nation’s grid and infrastructure safe against cyber threat. They advocate a course of action that includes: strengthening cybersecurity preparedness; coordinating incident response as well as recovery; and “accelerating research, development and demonstration (RD&D) of game-changing and resilient energy delivery system.”
Many energy and utility groups are not cyber ready and basic levels of protection will not suffice according to industry experts. The level of protection that is needed “cannot be achieved with traditional Internet Gateway security solutions such as firewalls, IPS and the like.” Total protect may not be possible, especially since the hacks will only get more frequent, more sophisticated, and more powerful. However, without adequate systems in place to protect and respond, disruptions of service—or worse—will happen.