Energy and utility companies are more likely to have hackers spy on their IT systems looking for information to steal than attack critical infrastructure, according to a new report.
The Vectra 2018 Spotlight Report on Energy and Utilities said that while ICS is in the crosshairs, most attacks against the energy and utilities industry occur and succeed inside the enterprise IT network – not in the critical infrastructure.
The report said that there is a difference between attacks that probe IT networks for information and access about critical infrastructure versus attacks against the industrial control system (ICS) on which the critical infrastructure operates.
"The two are interconnected, but the targeted assets are different," the report’s authors said. "Cyber-criminals have been testing and mapping-out attacks against energy and utilities networks for years. These slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. The attack that shut down the Ukraine power grid in 2015 was reportedly planned many months in advance by highly skilled and sophisticated cyber-criminals."
According to the report, hackers use staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The report found that administrative protocols are a favourite tool of attackers because they allow cyber-criminals to move laterally inside networks where they have already established a durable foothold.
"Because administrative connections are typically used in conjunction with administrative credentials, attackers often have unconstrained access to systems and data that are critical to energy and utilities organisations," the report said. "Unexpected and unexplained administrative connections represent a huge potential risk in the lifecycle of a major breach."
The report said that monitoring the network for attacker behaviours may "provide the only clues to tracking their steps since the attacker may have erased evidence on endpoints as well as logs".
Ojas Rege, chief strategy officer at MobileIron, told SC Media UK that cyber-security is a concern for all organisations and the energy sector is no different.
"Stakes are high in the energy sector, because cyber-security is entangled with public safety as well as environmental concerns. Like all businesses, a cyber-attack on a company within the energy sector would hinder business efficiency and damage reputation. But, it could also impact public safety and well-being," he said.
Adam Brown, manager of security solutions at Synopsys, told SC that ICS networks and the devices on them give direct control over pieces of critical national infrastructure.
"However, the intelligence needed to use them effectively to conduct an attack effective in shutting down entire systems comes in the related documentation such as flow, state and wiring diagrams. This information lies on the IT network," he said.
He added that it is now widely recognised that correct logging and monitoring of logs is a valuable method of detecting and preventing attacks.
"This control has made it this year to the OWASP Top 10 list. However, a more strategic issue is the lack of a joined up effort with management direction – a concrete software security initiative driven by a software security group will identify the weakest spots in an organisation and put in place an action plan to introduce or mature those capabilities. The BSIMM is a decade long study of such strategies and is worth a read."