Protecting energy facilities from cyber attack

Energy companies are often targeted by sophisticated hackers looking to create disruption across national economies. Although these facilities are a challenge to protect, there are clear procedures energy companies can follow to improve their security posture.

Over the past few years there has been a paradigm shift in cyber crime: attacks have moved from focusing on stealing confidential information for gain and reputational damage, to manipulating complex systems to produce real-world effects. Increasingly, industrial control systems are linked to the wider internet, and while this has increased efficiency, enabled the collection and analysis of performance data, and allowed remote maintenance, it has also left systems vulnerable to malicious interference.

Oil and gas firms are exposed across the full spectrum of cyber threat from loss of intellectual property and reputation, to disruption of operations. While traditional threat actors, rivals, criminals and environmental activists persist, there is also a concerning rise in sophisticated attacks against control systems by state-sponsored agents.

Energy companies are particularly vulnerable to attack because of the sheer complexity of their infrastructure and their intersection with third-party suppliers and contractors over whom they may have little control. Energy is a strategic target for malicious actors, as power interruptions, even if minor, can cause a cascade of secondary consequences that may cause longer term chaos.

CEOs and CIOs of oil and gas companies should take a systematic approach to surveying and then mitigating risk, which can help insulate them from the worst impacts of an attack, even if total prevention remains an impossibility.

Companies need to understand their risk profile before any mitigation can begin in earnest. This involves understanding their assets, the full range of threats they may face and the vulnerabilities. The first is often one of the hardest for energy companies, which have dispersed assets all the way through their business process, from extraction to refining through to distribution.

Threat assessment is often best done by a third party, be that the national Computer Emergency Response Team (CERT), or a private sector security operations centre (SOC) manager; these are likely to have a much clearer notion of the national threat picture. Vulnerabilities may arise from a number of different areas including technology, processes and people. The latter should never be overlooked as a threat, for companies that employ thousands of people, vetting and control systems are vital to prevent either malicious action or incompetence. Once the cyber security function of the company has a firm handle on its risk profile it can then move to take appropriate mitigation measures.

Mitigation is a three-part process encompassing visibility, intelligence and integration.

Visibility means truly understanding the configuration of your company’s network and most importantly who has access to it. Large companies in particular, often maintain networks patched together over decades, running different generations of software. It’s a simple truth that you can’t protect what you don’t understand; a thorough audit is vital at the start of any mitigation process. Sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.

Intelligence relates a system’s characteristics to the known threats and vulnerabilities in relation to them; it takes the threat intelligence gathered in the risk assessment process and relates it to the specifics of the company’s system.

Integration aggregates the information found in the first two phases, and displays them in a format that can be readily understood by decision makers to enable them to act quickly. In particular, attacks should be logged and diagnosed in a systematic fashion. Energy firms armed with this complete picture should then be able to create a continuous monitoring and mitigation capability supported by intelligence and securely integrated technology.

These are challenging times, but with the right planning, commitment to innovation and sensible practices, nations and companies can mitigate cyber security attacks. It’s the responsibility of both the private and public sectors working together to ensure infrastructure is not just defended from physical attack but made resilient to the efforts of threat actors.