The USA is a major consumer of energy; a North American household uses, on average, 11,698 kilowatts per hour compared to the average Indian household, which uses 900 kilowatts per hour. According to the World Energy Council, North America is also one of the biggest energy producers in the world, as one of the top three producers of all types of energy, except hydropower.
Critical Infrastructure Security and Cyber Terrorism
Cyber espionage and cyber terrorism / sabotage, are the main cyber threats targeting our energy sector. This sector holds much intellectual property and, as a critical infrastructure, is a seductive prime candidate for terrorism and sabotage, especially by state actors.
One of the keys to the vulnerabilities within the energy sector is that our energy systems are becoming digitized to ensure improved efficiencies, and to keep up with the changing needs of the industry. This includes the connectivity requirements of the extended supply chains used within the sector. Industrial Control Systems (ICS) are part of this digitization program and are being connected up to the Cloud to allow distributed data capture and sharing. This has resulted in increasing their attack surface, making them increasingly vulnerable to cyber attack. In a review by IBM X-Force, entitled, “Security Attacks on Industrial Control Systems”, IBM found a massive increase in ICS attacks in the three years prior to August 2015. Hacktivists and malicious insiders are carrying out these types of attacks, and the USA has had, by far, the greatest number of attacks at around 70% of the total. The attacks are increasing because of the change from closed systems to an Internet facing ICS.
Like many cyber security attacks, the vectors used are the usual suspects. Phishing, specifically spear phishing, is a key method being used to gain access to network resources and infect systems with malware.
A recent high profile attack that specifically targeted ICS’s was carried out by the group of cyber criminals known as ‘Dragonfly’ or ‘Energetic Bear’. The group used three types of attack vectors:
1. Spear phishing emails targeting employees and supply chain members.
2. Watering holes, i.e. malware infected sites that were commonly used by the targeted companies.
3. Installation of Trojan malware into software code developed by third parties that was used to update ICS units.
The group attacked mainly U.S. and European based energy sector companies in the petroleum and electricity-generating sector. However, they went after suppliers to the sector as well. Energetic Bear is a perfect example of an attack capitalizing on Internet facing systems and a supply chain infection.
The Department of Energy in collaboration with the National Institute of Standards and technology (NIST) have developed a set of guidelines to use in the energy industry to help inform the Risk Management Process within a security strategy plan, “Cybersecurity Risk Management Process (RMP) Guideline”. Using sound advice such as this helps in informing a robust security strategy to manage energy sector targeted attacks.
Personal Energy, the Internet of Things and Cyber Security
A report by MarketsandMarkets has predicted that the Internet of Things (IoT) device market within the energy sector will be worth over $22 billion by 2020. This isn’t surprising, as the IoT has become very popular as a method of controlling energy supplies on a personal and business basis. Smart Grids and IoT devices, like Nest, give us the opportunity to generate data, which can then be used to ensure we have the right energy tariff. They can also be used to make sure we use our energy in the most efficient way, turning off lights remotely being one, small example, of the control features the IoT gives us. The Nest thermostat is one such device that helps consumers and offices make the most of their energy requirements. However, as we’ve seen in previous posts, the IoT is a cyber criminal’s dream. An IoT device offers a way into our homes and offices. Connected up to Cloud platforms to collect and analyze data, they are open to the same sorts of web-based threats as any other Internet facing system. You can envision the scenario whereby a hacker has control of thermostats across the nation, exploiting them as methods of data extraction, energy control, and doors into other devices and accounts. It is even possible that the information gleaned from such devices would allow burglars to know when you’re away from home. Fortunately, white hat hackers are on the case and finding holes in IoT devices, like Nest, and offering fixes before the true hackers find them.
To help stem the potential tidal wave of IOT generated crime, the Online Trust Alliance (OTA) has built a framework of guidelines for ensuring IoT devices, in the energy sector and beyond, taking security and data privacy into account. It is up to the industry to follow this advice to protect consumers from IoT based cybercrime.
Switching Off Cybercrime Not the Lights
The Stuxnet virus that shut down the Iranian nuclear power industry, and that allegedly originated from state sponsors in the USA and Israel, is the most infamous energy sector attack in known history. We should expect that Stuxnet will be ‘out famed’ soon by a similar critical infrastructure based cyber attack, as our energy sector reaches out into the connected world and opens up our industrial systems to the world of cybercrime. Our energy infrastructures are too much of an interesting prospect to a cyber criminal group for them to not already be planning attacks. If we work in this sector, we are facing the challenges of new ways of working, but with those challenges we also need to face cybersecurity head on. Guidelines and frameworks can help us build robust and achievable security plans, that work across the entire energy ecosystem.