F-Secure report highlights the woeful state of insecurity in the energy industry

It is the most important industry in the world. Energy. We need it. Without it, nothing works.

Without the oil producers and refiners, there’s no petrol to fuel our cars. Without power plans and the supporting infrastructure, there’s no electricity to keep the lights on. Without natural gas pipelines, there’s nothing to heat our homes with.

Put simply, energy is foundational to our entire economy. It’s for that reason, and that reason alone, why it presents such a tempting target for hackers. And troublingly, according to a damning report from F-Secure, The State of the Station, companies working in the energy industry are failing to properly protect themselves from attackers.

Two certainties in life, geopolitics and taxes

The report points out that when it comes to security in the energy industry, there’s no smoke without fire. Incidents tend to coincide with external factors, be they the price of oil, or specific geopolitical trends.

It highlights several actors that reportedly have targeted companies working in the energy sector. One of these, APT33, is believed to have intimate links with the Iranian government. F-Secure highlights a flurry of activity from APT33 in 2018 that coincided with the US withdrawal from the Joint Comprehensive Plan of Action – colloquially known as the Iran nuclear deal.

The report doesn’t definitively draw a link between these events. However, it’s not unheard of for a government to settle scores with an adversary online, rather than through conventional military or diplomatic avenues. A good example of this was the 2018 hacking of Qatar News Agency, which took place within the context of the current gulf diplomatic crisis, and saw Doha point the finger of blame at Saudi Arabia, its regional rival.

APR33 isn’t an isolated example of state-sponsored hackers. According to F-Secure, the actions of two other advanced persistent threats (APTs), Dragonfly and Dragonfly 2.0, are attributed to the Russian government. These actors have targeted companies in the energy sector across the U.S, Turkey, and Europe, in addition to several defense and aviation companies. These actions have taken place as relations between the West and Russia have deteriorated, largely due to the latter’s annexation of Crimea, and its involvement in the war in Ukraine’s eastern regions.

Investment is important

F-Secure points out that companies in the energy space are increasingly connecting their crucial infrastructure to the Internet. Some programmable logic controllers (PLCs) and Industrial Control Systems (ICS’s) offer remote access features, allowing engineers to administer them without having to be in the same room.

The problem is these machines are often woefully secure, often lacking the most basic security protocols, like limiting access to verified users through authentication. F-Secure described many ICS machines as “primarily lacking cyber security resilience, with misconfigurations, insufficient segmentation, or poor company awareness of the issues.”

Furthermore, due to the long life-span of these systems, it’s the unfortunate reality that many industrial computing machines were introduced before people realized that ICS and PLCs could become the target of cyberattacks. Although these pre-Stuxnet machines present attackers with a tempting target, they still have some life left in them, and some firms are unwilling to part ways with their expensive equipment.

It’s worth remembering that IT works a little differently in the energy industry. In a normal business environment, insecure assets are readily replaced with ones perceived to be more secure. However, industrial computers routinely cost energy companies millions of dollars to acquire and are designed to represent a long-term infrastructure investment. It’s unlikely they’ll be replaced purely on the grounds of security.

This is especially true while energy companies are feeling squeezed on the back of rising raw-material prices. F-Secure, in its introduction, suggests that some firms may cut back on IT investment in the face of rising oil prices.

As we all know, oil is an incredibly volatile commodity, and its price regularly waxes and wanes in the face of demand and external geopolitical factors. A great example of this was in 2018, during the Iraq war, when the price of a barrel reached $147.30. Apparently, this has larger implications than the price you pay at the pump.

People remain the weakest link

Far too often, security breaches aren’t the result of technological cunning, but rather sheer human fallibility. People make mistakes. They’re often eager to please. Unlike security professionals, they’re not pathologically suspicious. They’d rather be polite and accommodating than vigilant and questioning. This isn’t necessarily a fault, but just how society conditions people to behave.

Social engineering is also often the easiest avenue into a company. Stuxnet, although brilliant, was an “expensive” attack. It required a lot of sophistication, both in terms of its creation, but also in its deployment.

Spear phishing, which is the most common avenue of ingress into energy companies, often requires little more than a few hours of LinkedIn sleuthing and an infected Word document. If this fails, the attacker will then escalate their approach, using more sophisticated methods of attack until they’re ultimately successful.

Addressing the social element of security has frustrated infosec professionals for years. It’s not a technical problem, which can be resolved by patching systems or changing default settings. It’s something that requires the ability to communicate risk to non-technical and often skeptical users, simultaneously shifting the way they conduct themselves on a day-to-day basis. That’s easier said than done.

Big problems, basic protections

The State of the Station, released earlier this morning, is a fascinating read. It paints a troubling picture of insecurity in the energy industry. Almost all economic activity is based on the presumption of a constant and reliable supply of fuel and electricity. Although we’ve yet to see a security incident of global proportions, the risk is there, especially given the rise of determined and heavily-resourced nation state actors.

The frustrating thing, as pointed out by F-Secure, many of these threats could be eliminated – or at the very least, mitigated – by basic information security. That’s having basic incident response and remediation strategies and ensuring that all companies have a well-fortified digital perimeter, which is manned by talented security engineers and top-notch security solutions.

When it comes to this, the ball is very much in the court of the energy industry.

TNW Conference 2019 is coming! Check out our glorious new location, inspiring line-up of speakers and activities, and how to be a part of this annual tech bonanza by clicking here.