By Andrew Kay, Director Systems Engineering APJ, Illumio
Globally, our energy systems are under attack on many fronts, which is why building resilience to cyberattacks has never been more important.
However, the squeeze on margins for downstream energy providers makes it difficult to budget for the required cybersecurity transformation.
But with national infrastructure at risk, providers cannot afford to stand still. So, what investments should operators be making to strengthen cybersecurity, enable transformation, maintain availability and meet regulatory expectations?
Related article: Australian energy software firm impacted by cyberattack
Understanding and mitigating risks
The scale of the cybersecurity problem in the energy sector is receiving global attention. After recent high-profile attacks globally, including the compromise of 22 energy operators in Denmark, and reports here in Australia of cyber incidents from CS Energy and AGL; regulators around the world are issuing new guidelines and directives for all areas of the energy market.
The Australian Energy Sector Cyber Security Framework (AESCSF) program provides a tool for assessing cyber security maturity across Australia’s energy sector along with the updated “SOCI” Critical Infrastructure Risk Management Program.
Energy companies must comply with the critical infrastructure risk management program (CIRMP) obligation under Part 2A of the Security of Critical Infrastructure Act 2018 (SOCI Act). Responsible entities have until 18 August 2024 (or a further 12 months from the end of the applicable six-month grace period) to have a process or system in place that enables them to comply with a cybersecurity framework.
Building cyber resilience
For many years, operators have invested large amounts of time and money into trying to prevent attacks and meeting checkbox compliance schemes with limited success. With preventing attacks no longer viable, investment must shift to systems that increase cyber resilience and a focus for all energy providers must be on building a model that is attack tolerant.
Ultimately the key to surviving any attack is to reduce the impact and ensure that it does not reach the most critical parts of the network. The Australian Energy Sector Cyber Security Framework was developed using a number of different frameworks and sources, including steps from the NIST Cybersecurity Framework. Many energy companies are turning to Zero Trust Segmentation — a technology that applies the principles of Zero Trust to segmentation to help prevent breaches and lateral movement.
But exactly how can companies use Zero Trust Segmentation to build resilience and meet the five key steps outlined in the NIST Cybersecurity Framework?
Identifying what to protect and in which order can sometimes be the most complex part of forming any cybersecurity strategy. Budget and resource restrictions often inhibit organisations’ ability to protect everything to the same degree and at the same time.
You can’t protect what you can’t see, so the first step is gaining visibility. Map your devices and the flow of their communications to external computing resources, such as application servers, databases, the Internet, and other smart devices. That way, generating and testing the required security policies and auditing the achieved security posture is a much simpler process.
To prevent the cross contamination of malware from Information Technology (IT) to Operational Technology (OT) environments and vice versa, only allow communication between necessary devices using minimum of verified protocols. This is the principle of least privilege and should be applied across all communications.
With Zero Trust Segmentation, you can block specific traffic routes and ports that cyber attackers and ransomware typically use. Many OT systems within the energy sector run on older versions of software and operating systems which cannot be patched to the latest levels. This requires some mitigation to protect those vulnerable devices. By limiting the systems that can communicate and which protocols they use, any patching limitations can be managed.
Recognising you are under attack is key to neutralising the threat—and the quicker the better.
Detection covers several technologies including those such as endpoint detection and response (EDR) monitoring computing systems looking for “indicators of compromise” (IOCs). This can be a challenging discipline; with time to detection often dependent on previous attack technique awareness, attackers pivoting to live off the land IT connections than well detectable malware components and bypass/evasion techniques the modus operandi of adversaries. You also need to be able to detect any connections that should not be allowed.
Segmenting the network is shown to improve the performance of EDR systems by restricting the spread of an attack, thereby reducing the area required for detection and improving the ability and speed to detection.
Once an attack is detected, you must respond instantly. With Zero Trust Segmentation, you can effectively lock down ransomware and attacks to help maintain services while the code is removed from computing systems.
Your response process and configurations should be planned and tested for efficacy, because any attack could be devastating with unknown consequences. Establishing a cyber resilience plan, practicing the response and staging the emergency procedure controls ready to be immediately deployed can make the difference between being able to maintain services and risking widespread energy blackouts.
Finally, you need to be able to safely restore services. If an attack is still underway, any premature repair work could create new risks.
With Zero Trust Segmentation, security and IT teams can set up protection around individual sites, departments and systems, so they can resume operations shielded from the attack. Restored systems are confidently brought back online in a “sterile” network environment without needing lengthy and effort intensive network level changes.
And with knowledge gained from the unsuccessful attack, you can tune your policies to further tighten access and boost your organisation’s cyber resilience.
Related article: Proposed cyber laws must address smart home device gap
Reducing the risk from cyberattacks
The current energy crisis, combined with economic instability, has put the energy sector at the top of attackers’ target lists. With threats showing no sign of slowing down, the only way for energy companies to safeguard operations and maintain uptime is to assume that they are going to be breached and plan accordingly.
With ‘customer data’ and ‘systems’ being specifically called out in the Australian critical infrastructure program requirements; energy companies must adopt inside-out thinking to define their protect surface.
By proactively taking steps to build resilience and segment infrastructure, energy companies will be able to quickly and confidently isolate breaches and keep the lights running in the future, even when under attack.