Myth-busting the urban legends surrounding the energy sector

A U.S. newspaper recently printed an article, “Hacked: Energy industry controls provide an alluring target for cyberattacks“, focusing on purported cybersecurity weaknesses across the energy sector. The article, unfortunately, combined old news, urban myth, generalizations, and an utter disregard for aggressive, national and international measures to defend critical infrastructure. Seldom does a better opportunity arise for Industrial Control System (ICS) and energy sector myth-busting. This response is intended to set the record straight.

Myth one – the energy sector is the main target of all internet evil

The article stated that the energy sector is aware that bad people are trying to do bad things via cyberspace. “There are actors that are scanning for these vulnerable systems and taking advantage of those weaknesses when they find them,” said Marty Edwards, director of U.S. Homeland Security Cyber Emergency Response Team for industrial systems. 

While this is true, it is so incredibly broad and generalized that it could apply to anything connected to the internet and quite a few that are not – from the International Space Station to home baby monitors to stand-alone processors in universities. There have even been inflammatory reports that ISIS is attacking our electric grid! Nothing is unique to the energy sector, to ICS, or to supervisory control and data acquisition (SCADA) domains.

Myth two – our stuff is OK, yours has a problem

The article continues by stating “Nowhere is the threat more consequential than in Houston and Southeast Texas…”

Again, I will disagree. Cyber knows no boundaries. Malware code released in Obscuristan can instantaneously make its way to your home computer, pivot to your business system, then attack a third party. Cyber is not geographic, cyber is overarching. It has been said that all politics is local. In that case, all cyber is global. That’s why the U.S. Government early on designated the energy sector a National Critical Infrastructure (NCI).

Myth three – the weakness of the energy sector

Attempting to sensationalize the energy sector’s vulnerabilities, the article provides that “The U.S. Department of Homeland Security, responsible for protecting the nation from cybercrime, received reports of more than 350 incidents at energy companies between 2011 and 2015. In most cases, a hacker infiltrated or tried to infiltrate the control systems of energy firms. During that period, the agency identified nearly 900 security vulnerabilities within U.S. energy companies, more than any other industry.”

Let’s contrast that with a report from the cybersecurity firm Dragos, which in March 2017 concluded that about 3,000 industrial infections occur each year. Sounds scary until you read further.  The infections all were common, non-targeted malware. These included W32.Ramnit and Conficker, discovered in an RW Bavaria nuclear power plant during upgrades. The likely source was removable media; malware was also reportedly found on 18 removable data drives, mainly USB sticks. Hackers? Maybe. Poor personnel training and cyber hygiene? Absolutely.

Myth four – we don’t talk anymore

Energy companies have a close, cybersecurity relationship with their Electric and Downstream Natural Gas Information Sharing and Analysis Centers (E-ISAC and DNG-ISAC) as well as the U.S. Department of Energy. The aforementioned “nearly 900 security vulnerabilities” were discovered by examination by experts from the U.S. Government ICS-Computer Emergency Response Team (CERT).  In each case the teams were specifically invited by the companies to examine corporate networks. The private sector has been working with DHS, the CERTs, the ISACs, and other partners to secure our energy for nearly two decades.

Finally some truth

“The vastness of oil and gas operations makes it difficult to secure. Thousands of interconnected sensors and automated controls that run oil and gas facilities remain rife with weak spots. Much of this equipment was designed decades ago without security features. In recent years, companies have linked devices that monitor pressure, control valves and initiate safety procedures to computer networks and – sometimes inadvertently – the internet.

This is truly a challenge the energy sector faces each day. Why not simply replace decades-old equipment with modern, cyber-secure equipment? Let me answer that question with another. In 1969 we traveled to the moon. Can we do it today? The answer is no.

Most ICS equipment was specially designed for a single purpose or process. There are no duplicates. There are no factories to recreate the parts. Intended to last 30 years or more, ICS and SCADA components are generally replaced as they fail, not upgraded. Industry has failed the critical infrastructure sectors as well as home users by failing to develop security at the same time they develop software. What does that mean? Just because you can connect it to the internet doesn’t mean you should connect it to the internet.

The rise and fall of the internet

In the 1970s, 80s, and much of the 90s cybersecurity was not really an issue. The internet is based on the government funded ARPANET created by the Department of Defense in the 1960s. ARPANET originally restricted connections to military sites and to universities, and thus security was not a consideration. Why?

Because at one time in our country, people did good things. Lawlessness and treason were shunned and punished. Malware coders, violent protesters, graffiti vandals, and their likes were not idolized. Everything worked. Today we live in a culture where Pointless, Persistent Jackassery (PPJ) is not only tolerated, but celebrated. But I digress….

Let me leave you with a question while I work on part two of this article. Have you experienced an instance of an ICS infection here in the United States? Did it go boom, or did you stop it? If it went boom, what was the result? I’ll be back soon to deflate the last few media myths floated in the recent press.