In recent years the number of organizations that have been subject to malicious cyberattacks has been on the increase. Organizations as disparate as the Estonian government and the Japanese electronics giant Sony have all had to cope with what is rapidly becoming the inevitable cyberattack.
The high-profile nature of attacks such as these has raised awareness levels around the world. In February this year U.S. President Barack Obama made it clear that cyberterrorism and threats against the country’s energy suppliers were the biggest threats the country faced.
Unsurprisingly, there has recently been a surge in demand from companies across the energy sector for indemnity against such attacks. However, according to a recent report by Lloyd’s of London, many insurers are now refusing to cover U.K. energy companies because in their assessment, companies’ cyberdefenses are simply inadequate when compared to the threat that exists.
No substitute for security
The challenge laid down by the insurers to the energy companies is simple: Insurance is no substitute for security.
As one of the world’s leading defense contractors, Lockheed Martin faces the challenge of cybersecurity on a daily basis. As the developer of such iconic aircraft as the F-117 Nighthawk and the new F-35 Lightning II, the company is a high-profile target for cyberattackers of various types.
It has learned, and continues to learn, the hard way about what it takes to secure an operation from the advanced persistent threat that surrounds it today.
Consequently, it is able to offer in turn cybersecurity services to its customers in various markets, including the energy sector.
Each day Lockheed Martin monitors, investigates, learns and prevents attacks against its own global infrastructure. This has led to a different way of thinking when it comes to cyberattacks. It can recognize the steps that would-be attackers need to make before they can launch their assault, allowing it to mitigate an attack before it happens.
Turning the tables
Traditional approaches to cyberdefense start from the basic premise that to be successful, any attacker need only to breach the defenses once, while the defender needs to be successful every single time.
This mentality is ultimately defeatist in its outlook but, more importantly, it isn’t actually accurate. Turning the tables on the traditional thinking about cyberdefense, the Cyber Kill Chain, created by Lockheed Martin in 2009, offers an alternative approach.
The Cyber Kill Chain allows a cyberattack to be turned upside down by mapping an adversary attack into its component stages, beginning with research into their target (reconnaissance) through the development of an attack mechanism (weaponization) on to the sending of an email or link to a compromised website (delivery).
Lockheed Martin then considers how the malicious payload exploits a vulnerability on the target system (exploitation) through to installing the payload on the target system (installation) before assessing how that software is controlled (command and control) and finally looking at how the adversary is able to go either steal proprietary data or shut down equipment (actions on objectives).
The Cyber Kill Chain allows a shift in the balance of power from the attacker to the defender, moving from a position where as a defender companies are doomed to fail to one where they are able to put in place barriers across the various stages achieving defense in depth. As defenders they need only to be successful at any one of the stages to successfully stop an attack, while the attacker has to get it right through all seven stages.
Energy industry-specific virus
But cyberdefense isn’t simply an IT challenge; it also is a challenge for operation technology (OT).
The Stuxnet worm was discovered in 2010 after a number of investigations into OT malfunctions at a number of industrial plants and factories. Stuxnet was one of the first viruses designed to target those systems that are responsible for the control of industrial processes and operations. Where Stuxnet led, others followed. For example, the Shamoon virus set out to specifically target infrastructure in the energy industry, successfully striking at least one major organization in the sector. For obvious reasons companies were reluctant to acknowledge just who had been affected, but the situation was clear: A new era of cyberattacks was being entered.
As the operators of elements of critical national infrastructure, today’s energy companies find themselves on the front line of the cyber war. Whether state-sponsored cyber warfare, cyberterrorism or simply malicious or criminal behavior, the impact that compromising an energy company can have makes them a highly prized target.
Cultural divide
While IT-based security processes and systems will eventually direct day-to-day OT security operations, that is not about to happen in the short term. Energy companies must look to address their security not just from an IT perspective but also from the OT perspective. It is crucial that the cultural divide that has existed between OT and IT staff is bridged—and bridged quickly.
There are other ways energy companies can secure their infrastructure. This could be by using Palisade, a cybersecurity intelligence management product capable of integrating with existing corporate security environments to deliver wide visibility of IT assets and critical network infrastructure, or a cybersecurity managed service offering such as Advanced Threat Monitoring. This is where state-of-the-art hardware is combined with software, advanced sensors and process innovation with the expert tradecraft of analysts who identify and manage high-confidence threat indicators.
But strengthening IT and OT are just two sides of the triangle. Energy companies also must look to strengthen the greatest cybersecurity challenge—the human.
Lockheed Martin has seen first-hand that modifying employee behavior is a critical factor in preventing many compromises of computing assets. Its own response to this has been “The I Campaign.” Not only does it educate employees on risky behavior and individual responsibility, it is able to measure improvements and make adjustments throughout the program. It is certainly a plan that energy businesses could follow.
Looking to the future, it is clear that the energy industry will remain on the front line of the new cyber war. The number of attacks will increase, and the insurance industry is simply no longer willing to insure against the inevitability. The challenge, therefore, is to seek to protect against the attack before it occurs.
Recommended Reading
Bracewell: Many Await Updates to Existing CO2 Pipeline Safety Regulations
2025-01-15 - Pipeline proponents are facing challenges and have been hampered by the lack of clarity regarding CO2 pipeline safety regulations.
Shale Outlook: Power Demand Drives Lower 48 Midstream Expansions
2025-01-10 - Rising electrical demand may finally push natural gas demand to catch up with production.
East Daley: New Pipelines Could Open Permian Floodgates
2024-12-18 - Led by the opening of the Matterhorn Express, a slew of projects is set to battle regional bottlenecks in the Permian Basin region but power generation may be the catalyst for newly announced pipelines.
FERC Closes Out ’24 with Rulings to Boost LNG Supply
2025-01-06 - A trio of Federal Energy Regulatory Commission authorizations in the latter half of December allowed new LNG trains to begin operations or boosted gas supplies to the facilities.
Energy Transfer Reaches FID on 2.2 Bcf/d Permian Pipeline Project
2024-12-08 - Energy Transfer said the newly renamed Hugh Brinson Pipeline—formerly known as Warrior—will deliver Permian Basin gas to the Dallas/Fort Worth market and beyond.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.