As cybercriminal threats increase in number and sophistication, many enterprises in the oil, gas and utility industries must recalibrate their cybersecurity efforts. But the prospect of creating a security strategy from scratch — or bringing an outdated or insufficient plan up to speed — can prove difficult for some IT security managers.
So where to begin? Try inviting the hackers in.
Ethical hacking has underpinned many successful cybersecurity programs since the dawn of the Internet. John Ewing, a security solution architect for CDW, works with clients on a similar approach. Ewing and his team assess an organization’s vulnerabilities by attacking it directly — and safely — through a variety of penetration attempts.
“We will act like a hacker and try to get into the network and see what we can do,” Ewing says. “We can try to access the network from outside or physically go onsite or try social engineering attacks, depending on the customer.”
Ewing and his team also run basic threat checks, monitoring the organization’s networks to see whether malware or other types of attacks have already compromised clients. “We always find something,” he says.
Diagnostic activities are a critical first step for enterprises seeking protection from cyberattacks, but the tactics only provide information on potential problems, not prescriptions for solutions.
Ewing and other security experts say energy companies must take a comprehensive approach when mapping out a cybersecurity strategy, implementing multiple layers of protection while involving stakeholders throughout the organization.
“It’s getting to be where you need a strategy that covers the entire enterprise,” says Karen Scarfone, principal consultant at Scarfone Cybersecurity. Historically, information technology and operational technology departments have been kept separate from one another within energy companies, she says, but the connected nature of modern equipment makes that an outdated model.
“It’s time to quit pretending that everything is in isolated buckets when it’s really not,” she says. “There’s a lot that the different sides can learn from each other.”
A comprehensive strategy must include physical security (such as fences, cameras and motion detectors); perimeter security (including firewalls, unified threat management, and intrusion prevention and detection); authentication (or two-factor authentication for employees with access to sensitive data); endpoint security (such as encryption and anti-virus software); and monitoring (including data logging, packet inspection and network traffic monitoring).
However, technical solutions alone won’t keep organizations sufficiently safe. Scarfone and other experts stress the importance of implementing these measures through collaborative and reflective processes.
“The strategy should involve more than just the security teams,” says Robert Shaker II, incident response manager at Symantec. “Heads of business lines, executives, legal, compliance and technology teams all need to be brought in at the appropriate time to ensure you have an actionable strategy that can give way to a proper program.”
Because of the social engineering aspect of many cyberattacks, experts say employee training plays an integral part of solid security. In particular, spear phishing attacks have become quite common. In this scenario, attackers send emails, posing as a known contact of the recipient, with the goal of tricking the victim into providing confidential information or clicking on a malicious link.
Another concern involves hackers leaving infected flash drives in company parking lots, with the hope that employees make the mistake of plugging the devices into company computers as they attempt to return the drives to their rightful owners.
The insidious nature of these attacks, which can fool even relatively savvy users, underscores the importance of training programs, Scarfone says. “It can happen to anybody. People make mistakes, and attacks get more sophisticated all the time. It just takes a few seconds of inattention to cause a problem.”
Finally, experts emphasize that organizations must go beyond protecting networks from attack. They must also create solid plans for what they will do in the event that their protection measures fail.
“Anybody can be hacked,” says Nadya Bartol, vice president of industry affairs and cybersecurity strategist at the Utilities Telecom Council. “People say there are two types of organizations: those that have been hacked, and those who don’t know it.”
Bartol says organizations should have intrusion detection systems that send out alerts in the event of a breach, to prevent losses or mitigate damage. She also recommends organizations stage “fire drill” type exercises to help refine their cybersecurity response plans — the same way many energy companies regularly test their business continuity plans.
However, while most energy companies now treat cybersecurity more seriously than in the past, Bartol acknowledges a lingering learning curve. “It can’t be done overnight,” she says.