The U.S. Energy Sector’s SCADA and ICS networks often are criticized in the press for being outdated, non-standardized, and difficult to manage because of inscrutability to all but a select few. I prefer to think of those as advantages.
Our infrastructure for SCADA and ICS are heterogeneous and distributed. Combine those advantages with the high bar for insider knowledge or engineering expertise necessary to understand and operate these systems and you have created a natural, layered defense! Still, threats and their corresponding risks exist.
My audacious risk predictions for the remainder of 2016 address the nature of the cyber threat and the potential for the energy sector to encounter it during the year. The risks are divided into High, Moderate, and Low. I've based these upon the basic Risk Equation: Risk=Threat x Vulnerability x Cost.
[ PRIMER: Defining the threat in the energy sector ]
Cyber crime – high risk. Administrative systems are most at risk. Commonality of operating systems and the ability of utilities to pay large ransoms make the energy sector a very attractive target for ransomware and data theft.
Hacktivism – moderate risk. Hacktivists often focus on social issues. The energy sector may be targeted after accidents that affect the environment. DDoS intrusions remain a threat to administrative and customer service systems
Cyber espionage – moderate risk. Actors will continue to probe and insert persistent backdoors or other malware. In spite of declarations and treaties, cyber espionage will probably remain at current levels for the next year.
Cyber attack – low risk. The potential for effective, coordinated cyber-physical attacks involving intrusion into U.S. energy networks is low.
How do I justify my analysis?
There's nothing like a slight time delay in getting a publication online - in the interim between my predictive analysis and the posting of this article, DHS in April released a document on the same subject with basically the same predictions. That's a good indication that the private and public sectors are not so far apart in thinking about threats as some would have us believe.
What can I do with this information?
Though these threats appear in a hierarchy, nothing prevents an adversary from changing tactics, techniques, and procedures. Just as it's impossible to legislate against tomorrow's cyber threat, it's impossible to predict their exact nature - that's why an adversary motivation approach is a good fit for enabling a more accurate risk analysis and risk management protocol.
In the end it always boils down to the user. An employee might sell the company's crown jewels or SCADA architecture - the insider threat. A recent survey found that 27 percent of U.S. employees would sell their passwords for less than $1,000. About 47 percent reported that after leaving their company they still had remote access to their accounts.
An employee on a lunch break browses an innocent web site, following each and every guideline the company provides for personal Internet use at work. Through no fault of the employee, the web site has unknowingly been infected to deliver a malware package to visitors - the Watering Hole attack.
An offended hacktivist group might focus world-wide resources on your organization because they didn’t like a single tweet out of the thousands you’ve sent. Now you’re the target of a spear phishing or whaling campaign – trying to get access to your systems and bring your business down. Barring that, a DDoS campaign is a handy alternative. Hacktivism may have more supporters than you imagined.
Anybody in cyberspace can suffer an intrusion at any time. It's time to stop blaming the victim for cyber intrusions. At the same time, don’t set yourself up as the instrument of your failure. An aware user is always the first line of defense for both administrative and operational sides of your network. Be the aware user.