Critical infrastructure companies and the global cybersecurity threat – problems
How the energy, mining, and materials industries can meet the unique challenges of protecting themselves in a digital world?
Whether they generate or distribute power, or extract or refine oil, gas, or minerals, heavy industrial companies comprise critical infrastructure for the global economy. As a result, they are attractive targets for cyber crimes. Already by 2018 nearly 60 percent of relevant surveyed organizations had experienced a breach in their industrial control (ICS) or supervisory control and data-acquisition (SCADA) systems.
Heavy industrials face unique cybersecurity challenges, given their distributed, decentralized governance structures and large operational technology (OT) environment—an environment that does not lend itself readily to traditional cybersecurity controls. Furthermore, many heavy industrials have invested in becoming “cyber mature,” as have other at-risk industries, such as financial services and healthcare. The investment gap has left most heavy industrials insufficiently prepared for the mounting threats.
As awareness of the threat environment grows, however, many top executives at these companies are now sharpening their focus on cybersecurity. They are asking important questions like: What does it take to transform our cybersecurity capabilities? What investments will address the most risk? How much should we be spending? Leading companies are now rethinking their cybersecurity organizations and governance models. Some are taking advantage of new security tools for OT offered by innovative start-ups. Most are adopting a risk-based approach to security—identifying their critical assets and seeking appropriate controls based on risk levels (see sidebar, “A cybersecurity transformation in oil and gas”).
Evolution of the threat landscape
Several factors underlie the growing threat landscape for the heavy industrial sector. One is the rise in geopolitical tensions, which has led to attacks targeting critical national infrastructure. Heavy industrials can become collateral damage in broader attacks even when they are not the target, given IT security gaps and OT networks connected to IT networks through new technologies. Obviously, these threats have become a major concern for top managers, boards, and national government bodies.
Attacks on national infrastructure
Among the most significant attacks on critical national infrastructure of the past few years are these:
- In 2014, a Western European steel mill suffered serious damage in its operational environment from a phishing attack used first to penetrate its IT network and then its OT network where attackers gained control of plant equipment.
- The 2015 to 2016 attacks on an Eastern European power-distribution grid cut power to 230,000 people. In this case, attackers compromised a third-party-vendor’s network, which was connected to an energy company’s OT network, allowing the attackers to make changes to the control system.
- In 2017, attackers gained access to a Middle Eastern petrochemical plant’s ICS and attempted to sabotage operations and trigger an explosion.
Recent discoveries in the networks of electrical-distribution companies based in the European Union and the United States indicate that threat-actors established vantage points within OT networks from which to launch attacks at a future date. An example of this is the Dragonfly syndicate, which has been blamed for the breach of EU and US electrical companies to gather intelligence and build cyber capabilities to compromise OT systems.
Groups like Dragonfly are increasingly procuring private-sector offensive tools, enabling them to deliver highly sophisticated cyberattacks. Given the sensitivity of the targets, this has quickly become a matter of national security involving government bodies and intelligence agencies.
Collateral damage in nonspecific attacks
The electricity, oil-and-gas, and mining sectors have been rapidly digitizing their operational value chains. While this has brought them great value from analysis, process optimization, and automation, it has also broadened access to previously isolated ICS and SCADA devices by users of the IT network and third parties with physical and/or remote access to the OT network. In many cases, this digitization has allowed access to these OT devices from the wider internet, as well. According to analysis of production OT networks by CyberX, an industrial cybersecurity company, 40 percent of industrial sites have at least one direct connection to the public internet, and 84 percent of industrial sites have at least one remotely accessible device.3 In response to the danger, ICS manufacturers can analyze USB-born threats to detect and neutralize those that could seriously disrupt operations.
Ransomware poses an additional threat. One well known example was WannaCry, which disrupted 80 percent of gas stations of a major Chinese oil company by exploiting a vulnerability in a dated and unsupported version of Windows. NotPetya was far more devastating. This malware wiped IT devices around the world, affecting about 25 percent of all oil-and-gas companies.
More recently, botnets with the ability to detect and infect SCADA systems have been discovered, and those targeting Internet of Things (IoT) devices have become pervasive. The past year has also seen the massive growth of crypto-mining malware targeting ICS computers, severely affecting productivity by increasing load on industrial systems.
These types of sweeping, nontargeted attacks disproportionately affect industries, including heavy industrial companies with less cyber maturity and many devices to protect. Moreover, heavy industrials have the dual challenge of protecting against new digital threats while maintaining a largely legacy OT environment. Most companies still operate with their founding cybersecurity initiatives like patch management and asset compliance. More than half of OT environments tested in one study had versions of Windows for which Microsoft is no longer providing security patches. Fully 69 percent had passwords traversing OT networks in plain text.
Unique security challenges facing heavy industrials
Electricity, mining, and oil-and-gas companies have revealed four unique security challenges that are less prevalent in industries of greater cyber maturity, such as financial services and technology. One challenge stems from the digital transformations that many energy and mining companies are undertaking. Others relate to their distributed footprint, their large OT environment, and exposure to third-party risk.
The overlooked costs of security in digital transformations
Most heavy industrials are undergoing major digital transformations or have recently completed them. When building the business case for these transformations, leaders often overlook the cost of managing the associated security risks. Security is not often a central part of the transformation, and security architects are brought in only after a new digital product or system has been developed. This security-as-afterthought approach increases the cost of digitization, with delays due to last-minute security reviews, new security tools, or increases in the load on existing security tools. For example, instead of building next-generation security stacks in the cloud, most enterprises are still using security tools hosted on premise for their cloud infrastructure, limiting the cloud’s cost advantages.
Additionally, security capabilities that are bolted on top of technology products and systems are inherently less effective than those built in by design. Bolt-on security can also harm product usability, causing friction between developers and user-experience designers on one side, and security architects on the other. This sometimes results in users circumventing security controls, where possible.
Protecting the ‘crown jewels’
The expansive geographical footprint typical for these heavy industrials can harm their cybersecurity efforts in several ways. It limits their ability to identify and protect their key assets—their “crown jewels.” They may have difficulty managing vulnerabilities across end devices. And while they tend to have a good handle on IT assets managed centrally, they have little or no visibility over assets managed by business units or third parties. Examples of crown-jewel assets include IT, OT, and management assets:
- information technology: network diagrams, system logs, and network access directory
- operational technology: programmable logic controllers, SCADA protocols, and system-configuration information
- management assets: internal strategy documents, executive and board communications, customer and employee personal information
Governance structures typically leave central security leaders without responsibility for security in the business units or operations. Many heavy industrials we surveyed could not identify a party responsible for OT security. The chief information-security officer (CISO) may set policy and develop security standards but often has no responsibility for implementing OT security in the operations, or for auditing adherence to it. At the same time, many operational units have no clear security counterpart responsible for deploying, operating, and maintaining OT security controls at the plant level. Therefore, they often neglect OT security.