In mid-February, the Cybersecurity and Infrastructure Agency (CISA) alerted owners and operators in all critical infrastructure sectors to review their cybersecurity programs. The alert came in the wake of a ransomware attack against an unnamed natural gas compression facility that resulted in a two-day shutdown of the facility’s operations.
Utilities are a high-value target, particularly for state-sponsored threat actors. Unlike the average cybercriminal, these particular threat actors aren’t always aiming to steal data. Instead, they stealthily probe networks for small weaknesses that they can then exploit to damage or disrupt critical infrastructure — an act that could have consequences for public safety.
Unfortunately, gaps and deficiencies in the cybersecurity programs of utilities companies are making cybercriminals’ jobs much easier. Indeed, CISA stressed that while the attackers were able to gain initial access to the facility’s IT network through an email with a spear-phishing link, a lack of robust network segmentation between the IT and OT networks “allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.” The resulting shutdown led to lost productivity and revenue, but could have had more severe consequences.
Too many moving parts, each a potential cybersecurity target
Given the heightened cyber risk faced by utilities companies, CISA is working with private-sector owners of critical infrastructure to acquire more information on vulnerabilities “to glean patterns and inform long-term planning and mitigation measures across the ecosystem,” writes Nextgov.
Whatever the outcome of this effort, a big challenge remains for cybersecurity teams: juggling the many moving parts within their ecosystems. The average utilities company has a vast digital footprint, and as that ecosystem expands, so does its attack surface. Utilities and plant operators manage tens of thousands of connected machines and devices, each a potential target for bad actors looking for vulnerabilities. Within this threat landscape, it’s more important than ever to have broad and continuous visibility into all assets, but regularly auditing these digital assets for cyber risk can be time consuming and difficult for resource-constrained cybersecurity teams.
Network segmentation – costly, yet necessary
CISA’s recommended approach to securing those networks — network segmentation — is not always a popular or viable choice for the utilities sector. Network segmentation is a zero-trust approach to cybersecurity that assumes that intrusions and attacks are inevitable. When a breach occurs, that threat is contained in a smaller, isolated network so it doesn’t propagate to other assets, such as an OT network. Think of it as a firebreak that stops any network-wide compromise.
As we’ve written about in an earlier blog on creating segmented networks to protect critical assets, segmentation is a necessary yet costly and cumbersome endeavor. As such, it is best utilized if organizations have assets that must be quarantined to reduce risk. These include machines that have known vulnerabilities, like unsupported Windows 7-based computers and other systems that aren’t going to be patched anymore, but can’t afford to be taken offline.
Understanding cyber risk is the first step to mitigating that risk
To protect all their assets — not just the isolated ones — utilities companies must establish a robust, effective security performance management program. By leveraging security ratings, these organizations can measure and continuously monitor cyber risk in their digital ecosystems, empowering them to make informed, comparative decisions about the cybersecurity efforts they should prioritize and focus on. After all, utilities companies can’t secure what they can’t see.
Security ratings shine a spotlight on known and unknown vulnerabilities, such as which machines are missing a critical update, if an access point is unsecured, or if malware is already lurking in a network environment — on-premise or in the cloud. This data can be incorporated into an organization’s segmentation strategy, providing valuable insight about where to deploy isolation based on risk. And global businesses can leverage additional analytics to see where all of their assets are located — broken down by geography and business unit — as well as the corresponding risk of those assets, enabling them to achieve a faster remediation process.
Pay attention to cyber risk in the supply chain
Rather than strike utilities head-on, threat actors are increasingly targeting the hundreds and thousands of vendors, subcontractors, manufacturers, and partners that comprise these companies’ supply chains. They then work their way up the chains to reach their real targets.
To combat this threat, utilities must incorporate cyber risk management into the procurement phase and define thresholds for acceptable risk during their vendor onboarding process. Once onboarding is complete, utilities companies should use contracts to hold their third parties accountable for their security performance, and implement continuous third-party cyber risk monitoring practices that provide assurance that their vendors are maintaining a good cybersecurity posture.
Technology can only do so much
People can be the weakest link in any cybersecurity program — but they can also be the strongest if they’re properly informed. Utilities companies should complement their security performance management program with employee education. They can build a cybersecurity awareness culture that teaches employees how to spot a suspicious email or social engineering attack, and how their actions connect to the potential outcomes of a cyber-attack — such as operational downtime, lost revenue, and, in a worse-case scenario, public safety.
“Critical” infrastructure is called that because it is critical. Utilities manage infrastructure that is vital to daily life. As such, these companies can’t afford to take chances with their cybersecurity efforts. They must do everything they can to make sure that their organizations are protected.