Defining the threat in the energy sector

Though the malware and techniques of cyber threats constantly change, reasons for intrusions remain fairly static. Understanding the reason for the threat allows us to make near-future predictions about the relative dangers presented to the energy sector ICS environment. Should we worry? On what should we focus? Knowing why the threat exists helps us to identify the high value items most likely to be targeted by different categories of cyber intruders.

The total number of intrusions against the energy sector has increased yearly since 2012, accounting for 46 intrusions reported to DHS in 2015. By categorizing the motivation behind (known and reported) intrusions we can begin to understand who might become a target and how to defend ourselves.

Intrusions fit into four general classes, in order of frequency:

• Cyber Crime
• Hacktivism
• Cyber Espionage
• Cyber Warfare

There are two significant impediments in analyzing private sector cyber threats. One is that many cyber threats are never detected. The other is that most organizations won’t self-report unless a compelling reason exists. The willingness of organizations to share cybersecurity data is slowly increasing thanks to the Information Sharing and Analysis Centers (ISACs) and recent legislation.

Cyber crime

Ransomware is designed to deny access to the data on a target computer until a ransom is paid; by far the most pervasive and expensive 2015-into-2016 cyber-crime threat.

The healthcare sector was the biggest target. Among buyers and sellers of illicitly gained personal data a healthcare record is worth roughly 16 times more than a credit record. The energy sector did not report any incidents of ransomware infection. Yet.

Risk transfer, through purchase of insurance, is one mitigation option. If you are a multi-billion dollar business and the ransomware is a mere annoyance (a few hundred dollars), it may be reasonable to pay the ransom in conjunction with other mitigation and use the experience as a learning opportunity.

Hacktivism

Hacktivist attacks involve threat actors motivated by ideology in an effort to maximize disruption and embarrassment to their specifically targeted victims. They operate on a mob mentality with the aim of righting real or imagined social wrongs. The energy sector so far has largely been spared by hacktivists. 

Once having penetrated, defaced, or damaged their opponents and exfiltrated any data, the hacktivist normally seeks some kind of recognition, especially media coverage. The public acknowledgement of the hacktivist’s skills in itself is often enough to mitigate the attack. 

[ ALSO: Hacktivist group possibly compromised hundreds of websites ]

Establishing a block list that will reject bogus IPs will help to repel hacktivist DDoS attacks. Avoid issuing malicious tweets or commentary on social networks to deny hacktivists an issue. A well-designed and exercised media response plan can negate a hacktivist’s public support. 

Cyber espionage

Cyber espionage is the use of computer networks to gain illicit access to confidential information. Cyber espionage is normally the domain of the nation-state and is designed not to disrupt operations. These attacks normally go unnoticed for long periods of time. APTs have resided within computer networks and accessed information at will for years. 

Cyber espionage has two primary motivations. One is to collect data for economic espionage. The other is to develop human targets through stolen employee data. A system administrator may have financial problems indicated in credit reports. The nation-state can offer the system administrator payment in exchange for access to corporate networks. This facet of cyber espionage is an external driver that creates an insider threat.

Segmenting administrative and operational networks and creating least-privilege user accounts, are effective countermeasures. Establishment of an internal reporting system for employees to report suspicious, foreign, or “just strange” contacts is helpful to defeat the insider threat development cycle, as is monitoring user behavior.

Cyber attack

Cyber attack is the rarest form of cybersecurity risk. Cyber attack meets a threshold that justifies military action on the part of the victim’s nation. These normally would involve widespread degradation, disruption, denial or destruction of critical infrastructure. Though most intrusions are colloquially referred to as “attacks,” an actual cyber attack is an act of war.

Good cyber hygiene and adherence to DHS guidelines and NIST frameworks are the best places to start building a wall against cyber attack.

What does it all mean?

Having categorized the threat actors and their motivations, we can look at those threats in light of both the real and the cyber environments and begin to make some predictions about what 2016 will bring us. In Part 2 of Defining the Threats of 2016 I’ll make some audacious predictions about what this year will bring in the way of threats to Energy Sector ICS and perhaps point towards areas where our cyber dollars will potentially give us the most bang for our buck.