The 2010 discovery of the Stuxnet worm was one of the truly seminal moments in the world of cybersecurity. The world saw firsthand how malicious code could cause crippling damage to physical assets. Virtually every industry had to stop and take notice, and none more so than the energy sector.
Nearly a decade later, even as threats and defenses have seen incredible changes, the fundamental forces behind Stuxnet still face the energy industry today. The world’s most sophisticated attackers are targeting some of the most high-value systems and seeking sensitive information and potentially looking to cause damage and disruption. The stakes are incredibly high and energy security teams need to be making the best use of their time and resources. In this blog, we will take a look at some of the unique pressures and challenges of cybersecurity in the energy sector and layout a practical plan to get real operational benefit quickly.
Swimming With Sharks
In security you always have to know the type of adversary you are likely to encounter. Unfortunately, most energy companies face the full spectrum of attackers. Like all large enterprises, energy companies must deal with attackers who look to infiltrate the network, take over user devices and accounts, and steal sensitive data. Attackers are often after a variety of industry trade secrets that can reveal the health of the business, how plants and facilities operate, customer data, business partner and supply chain information, and much more. This exposes the industry to opportunistic attackers, industrial espionage, and organized crime.
Unfortunately, though, the most serious threats to the energy sector comes from nation-state actors, who have an eye on causing damage. Earlier this year, the U.S. DHS and FBI issued a join alert that Russian state-sponsored hackers were targeting the American energy sector. These intrusions are particularly chilling considering previous Russian attacks that targeted and successfully brought down the Ukrainian power grid. There are two very important points to keep in mind here. First, while some enterprises can think of nation-state attackers as a cautionary boogeyman, they are a reality for the energy sector. Secondly, when the ultimate goal of the attacker is to do damage it’s even more important to find threats early before sensitive systems are accessed. There may be no exfiltration attempt. Once an attacker gets to the target system, it might be game over.
The IT Network Remains the Gateway
And while industrial control systems (ICS) may be the ultimate target, the gateway to those systems remains the IT network. The same DHS/FBI alert noted that the attackers would compromise the target network, perform internal reconnaissance, move laterally, and ultimately collect information on operational technologies including ICS and SCADA systems.
As with any attack, the initial step is often to compromise an individual user and then spread internally. Attackers compromise users and quickly look for a path to compromise an administrator. With administrator access to the network, the attackers can persist indefinitely, and ultimate gain access to the operational side of the network. This basic playbook holds true for virtually all types of persistent attackers. And this means that whether an attacker is targeting intellectual property, a customer database, or a facility’s industrial control systems, the path flows through the IT network.
Get More Secure Today
With the sophistication of attackers and the myriad approaches to security, it can often seem overwhelming to even know where to start. At Preempt we make this simple, and there are actually things that you can do to start getting more secure today. We can do this because our approach is designed to protect the network from the inside out. We do this by monitoring the organization’s authentication infrastructure and constantly analyzing every entity in the network in terms of their identity, behavior, and overall risk. We proactively find internal weaknesses, active threats, and proactively challenge suspicious behavior to determine if it is malicious or benign. Additionally by focusing on the Active Directory infrastructure, we make it easy to start monitoring without having to deploy listening agents all over the network.
With this perspective, we first help to map out your environment and identify where you are weak. This could include risky users and devices, weak passwords, devices that are sharing passwords, and users who are not official administrators, yet who have admin-level privileges. You can actually find these types of issues today using our free app, Preempt Inspector. This allows you to start seeing your internal attack surface the way that an attacker would so that you can tighten up your defenses before an attack.
Next, Preempt moves on to the detection and active mitigation of attacks. The platform analyzes all behavior in the network for signs of reconnaissance, lateral movement, and privilege escalation. However, instead of simply detecting threats or behavioral anomalies, the Preempt Platform takes action based on your policy. If the system detects that an administrator might be compromised, the system can trigger a multi-factor authentication challenge to the administrator before he is given access to a critical jump system. This is just one response, but the critical point is that action is taken in a way that doesn’t lock out valid work, but actively challenges a potential threat before access is granted.This is just the tip of the iceberg in terms of what is available from the Preempt solution. If you are interested in learning more about how we bring adaptive defenses to networks in the energy sector, please reach out to us at firstname.lastname@example.org.