Securing the energy industry: is success a dead CERT?

Waking Shark II results lack bite
Waking Shark II results lack bite

Firewall technologies were once seen as the saviour when trying to safeguard against cyber-attacks, none more so than in the energy market.

This was back in a time when energy companies weren't particularly security conscious, engineering and business networks were run on separate, specialist control equipment, and the threats they faced were nowhere near as severe - but the industry's now a well-oiled security machine, isn't it?

It's an integral part of the global economy - with extremely high-stake security risks compared to other industries - but recent events have revealed some big holes in market-leading energy providers' security infrastructure.

Of course, things have kicked on a bit since the good old days, but after recent events involving energy firms' cyber security it's not ridiculous to suggest that the industry is still in a ‘firewall fix all' way of thinking.

Take for example, the recent attack by Dragonfly hackers, an incident which shows that the energy industry is targeted just like any other. Right now we have little specific information to the purpose of these attacks, but interestingly one of the threats identified was 'in the wild' since May 2013 and amazingly the other, since December 2010 - although the code was modified in this case.

The point is this: if a simple phishing or watering hole attack can lead to this level of compromise, then imagine the impact a more sophisticated attack could have on the industry?

The launch of the Government's new Computer Emergency Readiness Team (CERT) would serve to reassure some that the safety of the country's most critical infrastructure is now in good hands, but it certainly won't be seen like that by every security expert.

Admittedly the energy industry isn't the only one at risk, but it arguably has the most to lose and needs continual support from CERT in order to stave off more advanced security threats.

It has been a positive start for CERT though, issuing multiple advisories since its inception, and it should be given credit for moving quickly and raising awareness of new threats.

However, Government agencies do tend to have something of a penchant for over focusing on irrelevance, making it difficult to predict whether CERT will be any different in the long-term.

Light bulb moment

It would be sensible to assume that the latest component of the government's £650m National Cyber Security Strategy will be responsible for informing the energy industry's big hitters of their security shortcomings, but it remains to be seen whether CERT will stand up and provide the security regulation the energy industry so desperately needs.

Just as the FCA regulates the banking industry, CERT needs to perform the same role for physical infrastructure and major service providers like gas and electricity.

The Banks are audited by a governing body, and it should be no different for energy firms - CERT needs to proactively work to reveal the gaps in energy suppliers' security strategies which will help to bring them in to the 21st Century.

Unbeknown to many though, energy market assets like power stations operate on shoestring budgets and extremely tight margins, so predictably there's not often talk of IT security investment internally. There's also not an abundance of security-minded staff in such environments so this is absolutely where CERT needs to intervene.

With the limited resources and budget available, governing bodies should be exercising what power and influence they have to advise the operators of such critical infrastructure.

Emerging from the dark ages

At the moment, there doesn't appear to be any bulletproof strategy for an attack on the National Grid? And with the energy market now receiving increased attention from the bad guys, there really ought to be one.

There's no talk of any ‘Operation Waking Shark' test for the energy industry, an exercise that would surely benefit the major providers so it's high time a regulatory body put processes in place for the protection of physical infrastructure.

Maybe the secret to success lies in energy companies collaborating? Perhaps security conversations in energy firms need to be escalated to board level to ensure they get the necessary attention? Or do we need to put more of an onus on educating employees?

Whatever the course of action, there is clearly a need for big change in the energy sector.

It will only be a matter of time before hackers target the consumer end of the market - remotely shutting down entire streets/towns and causing no end of chaos - if the same antiquated approach to security isn't updated.

If CERT doesn't put an emphasis on developing energy market security, we may literally be back in the dark ages.

Contributed by Alan Carter, cloud services director at SecureData.