Energy Q&A with Rafe Pilling

Mark: US energy companies recently experienced a wave of reconnaissance scanning, which is just the latest threat that’s keeping energy COOs and CTOs up at night. Can you talk about what’s at stake for these companies and their customers?

R. Pilling: In recent years, security leaders have seen an increase in the volume and impact of attacks in the energy sector. This is driven in large part by aggressive cybercriminal activity, particularly ransomware and extortion. In a significant portion of cases threat actors gain access through insecure infrastructure. Reconnaissance scanning is one way to discover vulnerable infrastructure. We also see exposures introduced by how infrastructure is managed.  Just look at the Colonial Pipeline incident of 2021, in which a weak password on a VPN led to a major outage and immeasurable market impacts. This is not an uncommon scenario. Utilities as an industry is focused on resilience, expediency and cost-effectiveness. However, insecure infrastructure can quickly be a major risk if we take our focus off good security practices.

Secureworks® is seeing more disruptive attacks against critical infrastructure. Most stem from criminal ransomware or DDoS activity but a recent example involving a suspected hostile state actor was the Skylogic (Viasat) attack, which disrupted multiple businesses including the operation of thousands of wind turbines in Germany.

Many of these groups targeting critical infrastructure are tied to hostile state actors that are already on our radar. Recently, the US government unsealed indictments on a group that our CTU™ tracks. This group, dubbed IRON LIBERTY, has focused on the energy sector for nearly a decade. It includes several Russian intelligence officers and often targets US entities in the energy sector. There’s quite a lot at stake in combating these attacks: Financial assets, intellectual property, operational health, and the personal data of customers, just to name a few.

Mark: From your vantage point, what are the big cybersecurity trends and threats that utility and energy industry executives must be prepared to combat?

R. Pilling: Our 2021 Incident Response report, points to a few well-defined trends that executives need to consider. First, Secureworks found that 85 percent of incidents could be attributed to financially motivated cybercrime. The second thing we observed is that there was a 43 percent of initial access vectors came from vulnerabilities in internet-facing devices. Finally, utilities companies should be mindful of things like ransomware, business email compromise (BEC), cryptominers, and hack and leak extortion schemes, all of which may be directed at Utilities and Energy sector organizations by opportunistic criminal actors.

Many will recall a notable ransomware attack that took place in 2017, WannaCry, a malicious “worm” which infiltrated control networks and caused absolute havoc. This worm was released by a hostile state and continues to ricochet, uncontrolled, around the internet occasionally infecting and disrupting businesses, including operational technology networks. WannaCry was unusual in that it was a financially motivated attack launched by a hostile state actor, North Korea, although large scale financial crime has long been one of their core activities as a method to support their economy.

Outside of financially motivated criminal activity, a more insidious threat from hostile state actors is pre-positioning access for the purposes of ongoing espionage, supply chain attacks or future cyber-physical disruption. This is especially true for utilities providers, who operate infrastructure that can be uniquely attractive to threat actors. By pre-positioning access, cybercriminals or hostile state actors (Russia and China come to mind in recent memory and news coverage) may be in the network for months or even years. They can be hiding in plain sight, monitoring operations, accessing business partners or customers and launching disruptive attacks if and when they are given the order.

Russia has demonstrated multiple attacks against energy companies in Ukraine, each time evolving their method of attack. In 2015 malware enabled human operators to connect in and use the victims exiting human machine interfaces (HMIs) to shut-off power. By 2016 modular capabilities had been added to their malware to enable interaction with electrical power industrial control systems directly. In 2022 the same threat actor, IRON VIKING (aka Sandworm) launched another attack against a Ukrainian energy company with an upgraded version of their malware. These attacks were conducted as part of an armed conflict and arguably the previous attacks (2015 and 2016) were also launched as part of a lower intensity conflict that had been running since Russia annexed Crimea in 2014. However, lessons can be drawn from the deployment of these capabilities and we should not assume that they will always be used only after kinetic conflict has broken out. In all cases, the threat actor first must obtain initial access and reconnoiter the environment to understand what they will need to do to launch their disruptive attack. This could be done weeks or months in advance. Being on the look out for this phase is critical.

Mark: Are any of these threats unique to the Utility industry or the kind of infrastructure commonly relied upon in energy and utility settings? 

R. Pilling: Yes and no. No, in that the majority of external cyber threats will be the same across most sectors. As mentioned previously 85% of incidents we see are opportunistic cybercrime and cut across multiple industry verticals and geographies. Ransomware is a persistent and high impact threat faced by all organizations that use the internet have money. We see increasing volumes of victims being published on ransomware leak sites and these only represent a fraction of the total overall set of victims.

That being said, there are distinguishing factors in the energy and utilities sector that make it of keen interest to hostile states.

For example, Russian, Iranian, North Korean and Chinese threat actors have all shown an interest in obtaining access to utilities company networks. Sometimes they are successful. They may have multiple complementary goals such as collecting personally identifiable information (PII) for intelligence purposes, extracting trade secrets and intellectual property for economic gain but they may also be seeking strategic information on the power grid, how it works, ways to take it offline, and more, to support future military operations. Threat actors seek to obtain access, but also to maintain access, because this allows them to move through the stages of their attack quickly and efficiently, via captured credentials, malware, or whatever other mechanisms they can leverage. The upside is that the criminal threats and hostile state actor threats do not have to be addressed in vastly different ways. By effectively preparing to prevent, detect and respond to the envelope of tradecraft used by ransomware threat actors you are also well prepared to detect many hostile state sponsored groups.

Mark: What steps can utilities and energy companies take to preemptively create heightened awareness and vigilance around threats? What controls should be in their “baseline” tool kit?

R. Pilling:  The first step is having an informed view of the threat landscape. Threat intelligence derived from credible and reliable sources that can provide a real-world view of what is impacting organizations in the utilities and energy sector. In general, the media will report on rare and unusual events, but the torrent of reporting can make it appear as if these are daily occurrences and skew the perception of the cyber threat landscape.

We are also seeing the term “vigilance” appearing more these days, but the reality is that at the core of technology and cybersecurity, there is always a human behind the screen.

Humans cannot maintain a heightened state of vigilance long-term – it’s just not sustainable. So, the key is really putting proper technology and process in place to do the heavy lifting and keeping analysts and responders fresh and prepared to deal with real incidents when they occur.

Our research has led us to the realization that in almost all cases the path to operational technology (OT) runs through the IT environment. Whether it’s a compromised VPN or a perimeter vulnerability that is exploited. Threat actors usually need to move laterally across the IT environment before being able to reach OT networks. Therefore, IT security is a huge part of OT security. The key here is to know your organization’s perimeter, do vulnerability scanning, ensure complete and up-to-date patching, ideally to make sure that all logins are protected by multi-factor authentication (MFA). OT environments do have special requirements and can’t be protected with the same practices as IT environments but there is a lot of dependency between the two.

This is where a strong security practice is built – not so much in the short-term spurts of vigilance, but that ongoing pattern of good security hygiene and policy. When there is specific intelligence on credible threats, employees can surge to address it, knowing they are working from a solid foundation.

Mark: How is technology evolving to reduce emerging risks? Conversely, are you seeing threats evolving in a way that risks outpacing the speed of security innovation?

R. Pilling: The acceleration of current and future technologies is going to challenge every industry, not just energy and utilities companies. We’re seeing increasing interconnectivity, the expansion of 5G, and a lot more Internet of Things (IoT) devices playing a role in how organizations need to prepare for security threats. But IoT systems, Artificial Intelligence (AI), and other newer technologies are bringing in standardization and interoperability and that homogeneity plays to the benefit of threat actors. An attack chain can be developed that can easily be re-purposed between environments rather than being customer developed for each new and bespoke environment they compromise.

In the case of innovations like data-driven operations platforms or analytics, it is a double-edged sword – these technologies certainly help provide greater visibility and can highlight suspicious activity in the network, but they also create potential new entry points into the environment. We should assume that bad actors will try to use that to their advantage eventually.

Mark: What are the essential elements of a comprehensive security posture that utilities should employ facing this changing threat landscape? What measures should energy CISOs and CTOs have in place?

R. Pilling:   As a rule, we tend to see regulated industries, like finance, with strong cyber security compliance regimes, being less impacted by major cybersecurity events. This is not to say that compliance standards alone are a magic bullet. Too often the focus becomes on achieving compliance, usually at the cost of security.   By that I mean, compliance requirements are a good starting point – but they are not the finish line.  The energy sector in the US has had the North American Electric Reliability Corporation’s CIP framework in place for some time, and that includes a guiding framework for security. But organizations may need to go beyond the compliance standards to secure their organization and should stay well informed with data driven threat intelligence.

Most cyber threats originate from outside the business. However, as we outlined in our 2021 Incident Response report, while the majority of situations Secureworks saw in 2021 were driven by financially motivated cybercrime or a hostile state actor, we still see a percentage of cybercrime coming from insider threats.  In building a security posture, CISOs and CTOs need not be perfect, they just have to be better than the adversaries they’re facing.

For utilities executives, the IT environment is always changing, while your operational technology environment is often resistant to change and focused on day-to-day continuity. This can be a strength. By achieving a strong security baseline, ongoing monitoring and management of the static operational environment can help you highlight changes in the network and areas of concern or suspicion. This is especially true if you have a true Extended Detection and Response (XDR) solution that is giving your organization a “single pane of glass” view of your systems and security.

Mark: Compared to other sensitive industries, how does the energy sector rate in terms of preparedness for coming cyber threat evolutions?

R. Pilling:   The utilities industry has for a long time had a focus on health and safety and been highly successful in driving down risk and injury to employees. The same approach can apply to cybersecurity. Just like utilities create robust safety controls that mitigate incidents on sites, they can accomplish this same kind of success with security measures and investment in long term cybersecurity planning. Companies are in the ideal moment in that technology evolution to take a step back and look at the impacts that cybercrime in the energy sector can potentially have on customer quality of life, reputational damage, and incredible financial loss. Once you consider all that is at risk, the investment of time and resources in combatting this evolving threat is a business resilience and continuity decision that positions these companies for future success.

To learn more about Secureworks and the work of Rafe Pilling and the rest of Secureworks Counter Threat Unit™ (CTU), visit Secureworks online and read their 2021 Incident Response: Year in Review.