Recent attacks indicate that energy and utility companies need to increase their security posture sooner rather than later. Because energy companies are so entwined with local and global operations, attackers can see significant financial gains, cause widespread infrastructure disruption, or steal coveted intellectual property.
Establishing a strong security program is vital for energy and utility companies to protect their resources. Without a resilient strategy, energy and utility companies remain vulnerable to a sophisticated cyberattack.
Here are three lessons we can learn from recent attacks on the energy and utility industry.
Lesson 1: Social engineering and system intrusion attacks are highly successful
In 2020, Israel’s water systems saw a series of attacks. That April, hackers believed to be linked to the Iranian Government attempted to compromise industrial control systems (ISCs) that control water flow and wastewater treatment systems. Two more attacks shortly followed. The perceived goal of the attack was to increase chlorine and other chemicals to harmful levels and disrupt the water supply. All of this came at the height of Covid-19 lockdowns and heatwaves.
Investigations discovered that the threat actors exploited outmoded legacy systems and inadequate password guidelines. These attack vectors are prevalent in the industry. In fact, the Verizon 2021 Data Breach Investigation Report found that social engineering, system intrusion, and basic web application attacks represented 98% of breaches. Across all industries, phishing alone accounted for 36% of network compromises, and stolen credentials clocked in at 25%. These techniques enable System Intrusion and the installation of malware or ransomware.
It is important for energy and utility companies to maintain basic security hygiene such as updating passwords regularly, educating against sophisticated phishing attacks, and keeping devices updated. But enterprises also need tools that allow them to detect threats, wherever they might be on the network.
Lesson 2: Even unsophisticated attacks have major consequences
Despite the scale of impact, the ransomware attack on the Colonial Pipeline was not a particularly sophisticated attack. The attack itself was relatively short and narrow in scope. On May 6th, a Russian cybercriminal group identified as DarkSide gained access to Colonial’s financial and billing systems by using stolen credentials.
It is believed the credentials were stolen in another breach, and the password was reused for other systems. That reused password gave DarkSide access to a user’s VPN account, and within a two-hour window, they collected 100 GBs of data. Once the data was collected, they encrypted it and installed ransomware on the system.
Colonial shut down the pipeline, worried the ransomware might have spread to the OT systems and equipment. In actuality, DarkSide had not infiltrated the pipeline’s systems and released a statement shortly after the attack, claiming they were not aiming to cause widespread disruption. Despite this intention, the fallout was extensive. The Biden administration declared a state of emergency to account for the oil shortage, fuel prices spiked, and several flights were canceled due to a lack of jet fuel.
The pipeline was shut down for less than a week but imagine the ramifications if DarkSide had intended and succeeded in injecting the OT systems with ransomware. The disruption could have lasted several weeks, and Colonial’s financial and reputational costs could have been catastrophic.
Lesson 3: Many security teams lack situational awareness
As mentioned above, the Colonial Pipeline was ultimately shut down because the company could not determine if the ransomware had spread to the pipeline’s OT systems. The investigating firm Mandiant determined that the security team lacked enough situational awareness to determine how widespread the attack was. They could not tell if the attackers moved laterally from the financial system to the OT systems.
In both the Colonial Pipeline and Israeli water system hacks, the organizations had network blind spots that allowed vulnerabilities to be exploited. Not being able to easily track device OS vulnerabilities or usual activity like data accumulation, an action that typically happens before a ransomware attack, kept the security teams in the dark when the attacks were happening. The impact of both could have been far greater.
Energy and utility companies would be wise to consider network detection and response (NDR) solutions that allow them to detect threats across the network. Cyberattacks have the potential to cause widespread disruption and harm, learn how companies can respond in our recent case study.