A recent surge in cyber attacks against critical infrastructure has highlighted the vulnerabilities inherent in the energy sector and the far-reaching impact these attacks can have on organizations and the economies and societies they support. Between the conflicts in Ukraine and Gaza, persistent threats from Russia, China, and North Korea, and hacktivism driven by environmental motives, the energy sector is managing more risk than ever from both nation-states and organized criminal gangs.
Simultaneously, the push toward digital transformation is rapidly expanding the attack surface to include operational technology (OT), as newly connected systems expose previously sequestered and highly vulnerable infrastructure.
Our latest Energy Sector Threat Intelligence analysis underscores the growing need for hypervigilance when securing OT. Here, we’ll cover some key actions and provide tips for how energy and utility companies can bolster OT security in the face of these advancing threats.
OT is in the crosshairs.
While ransomware has long been a threat across industrial sectors, new strains are specifically targeting PLC and SCADA networks to take down operations. Once the tactic of state-level actors, it’s now become the domain of organized crime.
Mainstream criminals view these as lucrative targets because an attack that halts production hurts the organization’s ability to generate revenues, increasing the likelihood of ransom payment. That motive only deepens when it affects critical infrastructure for delivering power and heat to millions.
Digitization amplifies risk.
Bringing energy operations online through the Industrial Internet of Things (IIoT), connected sensors, and remote technology has tremendous business benefits. Still, it can also inadvertently throw the doors wide open.
In the IT world, weekly patching is the norm. But in OT, most offline systems have sat in live environments untouched for 20 years, growing increasingly outdated. When they’re suddenly brought online, this immediately exposes legacy systems to internet-based threats they were never designed to defend.
Supply chain risks are lurking.
Just as energy companies strive for operational efficiency, cybercriminals are, too. Threat actors are investing more time and resources into attacking critical suppliers because it’s a better bang for the buck; why attack companies individually when you can breach one and use that access to disrupt thousands?
The Solar Winds/Sunburst attack is just one example highlighting the exponential impact of supply chain risk. A single exploited supplier vulnerability could bring down an entire energy grid or even result in serious harm or loss of life in the event of equipment malfunction. While regulations like the EU Cyber Resilience Act are aimed at addressing this risk, energy companies must take independent action.
Detailed asset inventory is essential.
You can’t secure or defend what you don’t know exists. Before connected systems are brought online, it’s crucial to identify vulnerabilities and include mitigation plans as part of your digitization strategy. Create a tiered threat scheme to prioritize potential threats and build defense tactics as you roll out, including the supply chain.
Monitor for cyber threats in the environment.
Implement continuous monitoring of OT assets in security operations centres. Deploy monitoring across all layers of the architecture to ensure indicators of compromise are alerted on as quickly as possible to allow detection, management, and mitigation of cyber threats in the new environment.
A defense-in-depth strategy is critical.
Devise a layered security model that puts the riskiest assets in the most protected zone, allowing access only to permitted traffic or protocols. This network segmentation sequesters critical assets and will enable you to lock down access incrementally in the event of a threat to minimize damage and impact on operations.
Suitable endpoint monitoring technology is also a must to detect suspicious activity, and while online access is the most common attack vector, don’t neglect physical security. Outdated devices in remote, unmanned facilities could be extremely easy targets.
Bring IT and OT together to address risks.
Disconnect within the organization is one of the biggest obstacles to OT security. OT is often the domain of engineers and operations staff, who do not view their equipment through an IT lens. Bridging the gap between OT and IT by bringing these teams together around the same table is vital to improving OT security posture.
Practice incident response.
Given current trends and the broadening vulnerability landscape, it’s not a matter of “if” but rather “when” energy companies will be attacked. That’s why continuously revisiting and drilling incident response (IR) processes, procedures, and roles/responsibilities, including legal and communications strategies, is essential.
The better rehearsed you are, the better you’ll fare in an incident in terms of both network and business impact and reputation damage.
Dig into the full data from our latest energy sector threat intelligence report:
As geopolitical conflicts and environmental concerns escalate, once covert attacks are now becoming “gloves off”- increasingly brazen and more damaging. Now more than ever, it’s essential for energy companies to have a strong partner on board to provide guidance, tactical advisory, and incident response support.
NCC Group has the OT expertise and experience in bringing IT and OT to the table to help energy companies address these complex issues. Our in-depth knowledge, combined with established Original Equipment Manufacturer (OEM) partnerships and vendor-agnostic approach, gives us an advantage in navigating the challenges of disparate, legacy systems and bespoke integrations and securing multiple OEM systems with discretion.
Stay ahead of OT threats.
To learn more about protecting your organization from growing OT threats, download our Industrial OT and CIRT Retainer guide. Or get started today with an NCC Group OT Retainer by contacting one of our OT experts now.
Head of Industrials, NCC Group
Sean Arrowsmith leads NCC Group's go-to-market strategy into sectors including Transportation, Energy & Utilities, and Manufacturing. Sean has worked in cyber security for 23 years in a number of commercial roles, from software start-ups to large multinationals, including Siemens.
Sean was a group board Director at Information Risk Management Plc (IRM), a leading UK-based cyber security consulting and GRC SaaS service provider, which he grew with the IRM executive team before IRM's acquisition by Altran in 2017. Post-acquisition, Sean led the integration and development of cyber security services into Industrial sectors, working with large clients in the Aerospace, Manufacturing, Energy, and Defense sectors. Most recently, Sean was an executive Director at Crossword Cybersecurity Plc, an AIM-listed cyber security technology transfer specialist in supply chain cyber, risk management, and managed security services.