Energy grids have long been a target of cyber criminals looking to disrupt critical infrastructures and attacks across this sector have become commonplace across the globe. The 2021 cyberattack in the U.S. on the Colonial Pipeline showed that password compromises can impact both IT and OT systems and that disruptions to these systems have far reaching implications—not only to the company, but also shareholders and customers.
Even a hacker tried to poison a Florida city’s (Oldsmar) water supply using a remote access software platform that had been dormant for months. In February 2022, a cyberattack on the European oil refining hubs of Amsterdam-Rotterdam-Antwerp (ARA) disrupted the loading and unloading of refined product cargoes amid a continental energy crisis. And, now with the war in Ukraine, there is a well-documented Russian strategy in place that is targeting Ukraine’s power plants and other energy infrastructure security vulnerabilities.
Although Ukraine and others have been able to fend off many cyberattacks to critical infrastructure with the help of modern multi-factor authentication (MFA) and security keys, cyberattacks continue to cause havoc. These examples continue to serve as a stark reminder that security measures, especially strong authentication practices, tend to be unevenly implemented across different energy facilities. This is why a concrete plan needs to be in place in order to protect our highly valuable energy and natural resource services and infrastructures.
Protecting Operational Technology
Two crucial areas that sometimes get overlooked are those that historically sat apart from IT systems: namely Operational Technology (OT) systems like Industrial Control Systems (ICS) and Critical Infrastructure Systems (CIS).
Two common attack vectors targeting these areas are phishing and compromised remote access, both enabled through stolen credentials. Once an attacker gains a foothold, that person can move laterally and potentially find an entry into an OT environment and disrupt critical devices and functions. Even if an OT environment is completely isolated from your IT environment, IT and OT are highly dependent on running a business and the impact of one of those environments can negatively impact the working operations of the other. A recent Dragos report detailed how malware known as “Pipedream” has been wreaking havoc. Even the Transport Security Administration (TSA) came out with TSA Security Directives 2021-01 and 2021-02 which mandated higher bars for security to reduce cybersecurity gaps and implement specific mitigation measures against attacks and threats for pipeline owners and operators.
It’s important to stay abreast of mandates that are requiring organizations to move away from passwords and approaches that are vulnerable to a cyber breach, and towards modern approaches that deliver stronger phishing-resistant authentication that can circumvent phishing and other modern attack mechanisms. Today the only two authentication methods that meet the above requirements of phishing-resistant authentication for access are PIV and FIDO2:
In formulating a modern MFA security strategy for the Energy sector, it is critical to take the following users and business scenarios into consideration.
- Contractors, contract service workers, secondees, and joint ventures. These peripheral or less-than-full-time employees probably do not have a device given to them by the organization that owns the facility. This is a fast-moving workforce – they tend to change every month in size and character depending on the season. Further, outsourced contractor work on critical systems is typical, where these individuals tend to bring in their own devices to validate the equipment, which only widens the potential threat gap. These groups have a heightened need for well designed implementations, education and awareness related to strong, phishing-resistant authentication practices. Their short-lived nature also means they need to be up and running with as little time overhead as possible.
- Shared workstation environments. These could be devices, kiosks, or computing environments used by multiple, often “roving” users. While these stations are often critical in day-to-day operations, they are also the most vulnerable to threats because they have direct links to critical systems and sensitive data which amplifies the insider threat, whether malicious or negligent, and present additional security risks when used in high-traffic areas. When securing access to shared workstations it is important to consider the capabilities of the system itself and an individual’s explicit job duties to ensure it is not overly burdensome to their daily task and only allows them to see data, or have access to certain controls, based on their job function.
- Mobile-restricted environments. Some workplaces, like manufacturing work floors, or high-security industrial workplaces present scenarios where mobile devices cannot be present due to factors related to the environment itself such as specialized equipment (air-gapped or SCADA) or isolated networks, harsh environments, offline or offshore locations, thereby eliminating mobile authentication as an option completely. Finding an always-available phishing-resistant, multi-factor authentication (MFA) solution that doesn’t rely on cell service, internet access or device battery to work – like a security key – is critical.
- In-the-field IoT devices. The energy sector is increasingly deploying IoT devices to create “smart grids” and intelligent networks. These smart networks, with the ability to constantly monitor and react, allow for operating efficiency. But with this explosion of new devices, new threats are emerging. An example of an attack is the one KrebsOnSecurity covered in 2021 which was caused by a new IoT botnet called “Meris.” This proliferation of endpoints, created by the adoption of IoT devices, results in enhanced risk due to larger attack surfaces. Securing ‘device to device’ and ‘operator to device’ interactions now, more than ever, should remain near the top of the risk registers for organizations that operate within this space.
Guarding the supply chain
Perhaps an even greater challenge than OT, is protecting energy facilities’ supply chains including code management. Most enterprises are just starting to develop plans to create consistency and compliance across hundreds of supply chain related applications.
The new National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems and the Department of Homeland Security’s Cybersecurity Performance Goals (CPGs) highlight the highest-priority baseline measures that critical infrastructure owners should be doing to protect against modern cyber threats which are intended to supplement NIST’s Cybersecurity Framework. It is recommended in section 1.3 about MFA that ‘hardware-based MFA is enabled when available’ for secure access within IT and OT environments. This also includes the more general Executive Order 14028 on MFA which was issued by the President of the United States.
These are all pushing the urgency for security-focused supply chain plans and to ensure stringent security practices across all critical infrastructure.
Security is only as strong as your weakest link
If your supply chain vendors and outsourced partners don’t follow the same phishing-resistant MFA approach as you do, this can result in costly consequences such as disruption to operations, and national or regional critical infrastructure outages.
How do you get them involved? To start, notify your supply chain partners that phishing-resistant MFA is a distinct priority with a clearly worded memo. If you already have new compliance regulations, put them out there well ahead of time so suppliers aren’t surprised by an unveiled “grand plan” later on. While there will always be a few slow turtles on compliance issues, most partners will want to prepare well ahead of time to meet new security requirements. Working with them in collaboration (the carrot) is always better than threatening to find another vendor (the stick).
As attacks across this sector are widespread, future global regulations may follow suit. The sophistication of cyberattacks targeting IT and OT systems across the energy and natural resources sector only necessitates the urgency to add phishing-resistant MFA, like the YubiKey, for digital access for all users that have touchpoints into your infrastructure.
(Anonymous cyber security executive for Ukraine energy plant) “Since the war began, we have experienced a massive increase in phishing attacks… We believe YubiKeys are as important for our cyber defense as the bullet proof vests that are protecting the soldiers and others that are on the front lines of the ground war.”
This just scratches the surface — to learn more on securing energy and natural resource infrastructure, be sure to read Yubico’s white paper: Securing energy and natural resources against modern cyber security threats.