Energy companies rapidly accelerating their digital transformation projects to simplify and modernize their existing processes can drive massive efficiency and benefit. Yet, the increased interconnectivity between internal and third-party systems, in addition to on-premises and cloud environments, has exponentially expanded organizations’ attack surfaces and business risk profiles, leaving them vulnerable to exploitation. Energy companies have had to come to grips with the extension of IT security practices to increasingly connected OT landscapes, but the final frontier is now upon them as digital transformation projects extend all of the same concepts to applications like enterprise resource planning (ERP).
Energy companies have become increasingly targeted by cybercriminals, both due to the complexity and difficulty of securing intermingled IT/OT landscapes and the sheer criticality and importance of their business. High-value targets, and targets with real-world impact, are attractive to attackers. Research from S&P Global shows that cyberattacks against energy infrastructure more than doubled from Q2 to Q3 in 2022. Attacks on utilities are particularly dangerous--on one hand, they can take down an organization’s IT system and result in the loss of sensitive corporate data, as well as billions of dollars from ransom demands and repairs. They also have the ability to shut down operational systems and cause massive power outages and damage to critical infrastructure. We’ve seen first-hand the far-reaching effects of such an attack with the Colonial Pipeline hack, which resulted in systems being shut down for several days, impacting fuel and oil supplies in multiple states for weeks, even months after the attack occurred.
As the energy sector remains vulnerable, it’s critical that organizations are intentional about their cybersecurity posture. This means that they shouldn’t wait for an attack to happen before taking action. Rather, they must develop a robust cybersecurity posture that enables them to proactively defend their organization and quickly remediate. Here are three questions energy companies should ask themselves when assessing their cybersecurity posture.
Do We Have Visibility into Our Business-Critical Application Landscape?
Enterprise resource planning (ERP) applications, such as those hosted on SAP and Oracle, are often tied to critical infrastructure, as well as industrial and business processes. These systems are so large, old, and complex that security teams tend to lack visibility into the vulnerabilities and risks plaguing these environments. Instead, they leave business-critical application management to in-house teams, where system performance and availability are prioritized over security. To mitigate any system blind spots, organizations must achieve complete visibility into their ERP system landscape. This will also enable them to identify any internal and external threats and evaluate their impact.
Does Our Vulnerability Management Program Include Business-Critical Applications?
Traditional technologies like vulnerability scanners and firewalls, and practices, such as the segregation of duties, are critical to any cybersecurity program. While these approaches can detect system-level issues within business-critical applications, they aren’t enough to protect the application layer itself. For instance, they are unable to detect issues in ERP custom code or missing patches within ERP applications. Rather, organizations should deploy vulnerability management capabilities designed to address flaws within ERP applications. These tools provide security teams with deep threat intelligence about their attack surface, while consistently monitoring users, unusual activity, and vulnerabilities within the application layer.
Furthermore, traditional patch management processes require security teams to continuously keep up with the latest security notes for numerous patches every month. This procedure is ineffective, as can be highly time-consuming and error-prone. Modern vulnerability management technologies can alleviate much of the manual burden placed on resource-constrained teams by providing automated analyses of each threat, its associated risk, and its business impact. This strategic threat intelligence not only gives teams the context they need to solve each vulnerability but also allows them to determine which vulnerabilities are most critical and should be patched first.
Are We Following Cybersecurity Best Practices?
In today’s unprecedented threat landscape, following cybersecurity best practices should always be enforced. However, the influx of cyberattacks on utility infrastructure suggests that these organizations are falling behind in this arena. While there are numerous ways to ensure organizations are prioritizing security, here are a few key ways they can secure their operations and critical infrastructure:
- Develop an incident response plan: Energy companies have had to extend IT and cyber plans to include OT systems, but business-critical applications, like ERP, remain excluded, and sadly those applications, in many cases, drive both the core business and the operational intersection. Organizations must take a risk-based approach to incident response, where they prioritize incidents and vulnerabilities with the highest level of risk.
- Ensure ubiquitous implementation of core cyber concepts: The industry has become good at vulnerability management, threat and incident monitoring, and behavior monitoring for IT, and has become better at it for OT. But in ERP, it’s still nascent for most energy companies.
- Ensure custom application security: ERP systems contain more custom business logic, and more custom code, than anything else in the IT landscape. Code security tools and processes frequently miss this. Security teams must ensure the basics of code security and secure development where it matters most- within ERP applications.
Mitigating the Impact of a Future Attack on Utilities
Attacks against energy infrastructure aren’t going away any time soon. In fact, we can expect them to accelerate in the year ahead. Organizations should ensure their cybersecurity posture is strong enough to proactively stay ahead of adversaries, and ensure that the same level of diligence is applied to IT, OT, and ERP. And while a cyberattack may be inevitable, incorporating the above strategies can help organizations prevent the extensive impact and damages that could follow.