Cyber attackers, both independent hackers and state sponsored activity groups, have long realised critical infrastructure sectors are vulnerable to a variety of attacks, writes Tim Conway, technical director of ICS and SCADA programs at SANS Institute.
Look no further than the Baltic states, where in 2007 hackers launched a cyberattack impacting numerous Estonian key resource organisations.
Fast forward to 2015, and adversaries impacted the electric system within the country of Ukraine, which resulted in outages throughout numerous distribution regions in the country.
Related article: Ex-ASIO chief warns on energy cyber attacks
In Australia, authorities are so concerned about the vulnerability of the energy sector, the Australian Energy Sector Cyber Security Framework (AESCSF) was developed with collaboration between industry and government stakeholders, including the Australian Energy Market Operator (AEMO) and the Critical Infrastructure Centre (CIC).
However, these efforts largely focus on technical fixes. According to McKinsey, there are many myths around using technology to solve security problems in the energy sector. These myths include misconceptions around the effectiveness of air-gapping systems and ineffective controls that can be circumvented using USB sticks and unsecured laptops, as well as architectural gaps in understanding that lead organisations to believe the only connection to an operational technology network is via the corporate network. McKinsey says many vendors have support and maintenance paths into their systems that do not pass through traditional remote access paths, which can increase vulnerabilities.
Building people’s cyber resilience
The real vulnerability in any infrastructure is the people using, working on, and maintaining it. According to the Office of the Australian Information Commissioner’s (OAIC) latest notifiable data breaches report, human error was responsible for 38 per cent of all breaches the agency was made aware of. In the period July to December 2020, there were 539 notifiable breaches, an increase of five per cent on the previous reporting period.
Given that people are often a part of the problem, what can be done to make sure they are aware of their responsibilities regarding data and security?
The answer, in short, is education. An energy company, needs to undertake regular education sessions with its personnel to help them identify psychological attacks, like phishing and social engineering.
Phishing is when an email is sent to a recipient which looks like it’s from someone they know or someone in authority. Once they click on a link in the email, a malware payload is unleashed, which can spread from the unwitting user’s computer throughout the network.
This malware can compromise databases, capture identity information, and compromise log-ins. For critical infrastructure organisations, this can also become the initial point of entry into a targeted organisation and can be leveraged as a foothold to further target the operational environments.
Related article: Cyber threats are stemming oil and gas industry growth
Users also need education about social engineering, which is when they may get a phone call or an email (or text), again from someone they think they know or who might be their boss, asking them to provide sensitive information.
These education sessions should not be a ‘set and forget’ activity. Keeping your users up to date on the latest threats and scams is an ongoing activity, something that needs to happen every month, if not more often.
Despite the best efforts of regulators, there will always be regulatory lag between cybersecurity requirements and current threats. Leveraging the right educational tools, you can strengthen the resilience of your biggest asset, your people.
