How the Energy Industry can Survive Targeted Attacks

The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently reported that it received 245 incident reports from asset owners and industry partners in the fiscal year of 2014. Like the previous year, the largest number of these incidents occurred in the Energy sector with 79 incidents.

The incidents reported to the ICS-CERT included the following:

• Unauthorized access of Internet facing Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices
• Exploitation of zero-day vulnerabilities in control system devices and software
• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns
• Strategic web site compromises (a.k.a., watering hole attacks).
Not only is the energy sector being hit the hardest, energy companies are also especially vulnerable since they possess valuable intellectual property and provide critical services that can be targeted by hacktivists and foreign state actors for sabotage purposes. In addition, the energy industry uses legacy systems that were not built with cyber-attacks in mind, and downtime for system upgrades is virtually impossible due to their critical nature.
How can the Energy sector prepare and defend against cyber attacks? Here is an 8-step plan for addressing cyber security in the Energy industry:

1. Air-Gap Networks
In a recent cyber attack on a South Korean nuclear facility, the nuclear plant remained safe because the control system was separated from the external network. It is important that Industrial Control Systems are air-gapped (i.e. separated from the network), so that even if attackers gain access to the network, they will not be able to reach the Industrial Control System and the damage can remain limited.

2. Identify and Encrypt
Identify the most important information and intellectual property that needs to be protected and make sure that it is encrypted and only accessible by a highly restricted group.

3. Use Multiple Anti-Malware Engines
By using multiple anti-malware engines to scan files, web traffic, and email attachments, you can significantly increase the malware detection rates and thwart any attempts to bypass a specific engine’s limitations. Since not every engine addresses the same threats in the same time frame, by using multiple anti-malware engines you can also ensure faster protection against new threats.

4. Implement USB Security
Files still need to be transferred to high security, air-gapped networks to perform system upgrades, maintenance, etc. To ensure safety but still enable file transfer, portable USB devices should first thoroughly be scanned with multiple anti-malware engines before being allowed to connect to the air-gapped network.

5. Improve Email Security
A common entry point for cyber attacks is spear phishing attacks. Most email security systems can detect and stop phishing attacks, but spear phishing attacks are harder to detect since they are only sent to a small number of people, and significant effort has been put into making them look legitimate. To detect more malware and counter threats that are targeted towards specific antivirus engines, companies need to strengthen their existing email security systems by using multiple anti-malware engines for scanning email attachments. Since spear phishing attacks often make use of malicious email attachments that exploit zero-day vulnerabilities that may not yet be known, it is also important to sanitize email attachments by converting files to another format to diffuse any possible embedded threats.

6. Defend Against Advanced Persistent Threats
Since Advanced Persistent Threats can lie in wait for a considerable time, it is important to continually monitor and scan networks and devices for threats and irregular activity. What may have previously gone undetected by anti-malware engines, could suddenly appear on the radar after an engine update. By centrally monitoring the company’s devices, you can ensure that anti-malware and other programs are updated and that malware scans are run regularly.

7. Train Employees
Train employees on USB security, how to detect spear phishing attacks, and to immediately report any devices that are stolen or lost. Make sure that employees update their anti-malware programs frequently and regularly perform full system scans.

8. Third Party Company Security
It is important to ensure that even if security is breached at one of the company’s suppliers or contractors, only limited access can be gained to the company’s central system. Also, when exchanging confidential files with external contacts is important to use a secure file transfer system that ensures that files are encrypted and can only be opened by the intended recipient.
With this survival guide, companies in the energy sector can effectively prepare for a possible cyber-attack, knowing they have the right defense weapons in their arsenal.

This blog post was provided by Deborah Galea, Product Marketing Manager at OPSWAT. For more about Deborah click here