Author: Sue Poremba
A ransomware attack on a gasoline pipeline company threw the energy supply chain into total chaos—all because of one compromised password to an orphaned account. The pipeline was shut down out of an abundance of caution, which created panic, inflated gas prices, and caused an artificial gas shortage. It is a powerful example of the urgency to improve energy sector security.
Cyber security threats in the energy sector are mostly motivated by the financial interests of threat actors, according to the 2021 Verizon Data Breach Investigations Report (DBIR), but up to a third of the breaches in the industry are due to espionage. The U.S. Department of Energy warns that the energy infrastructure is facing "unprecedented threat levels," creating a complex but critically important security challenge.
Identifying cyber security threats to energy sector security
The National Cybersecurity Center of Excellence identifies four main areas for guidance regarding energy security. They are:
- Securing the Industrial Internet of Things (IIoT)
- Identity and Access Management
- Asset Management
- Situational Awareness
Social engineering tactics are responsible for 86% of the cyber attacks against the energy industry, according to the DBIR, with sustained phishing campaigns a popular tool. Among non-social engineered attacks, ransomware accounts for 44%.
The motivation behind the greatest threats to cyber security for energy and utilities varies by threat actor. Some threat actors may be inspired by their opposition to climate change and see the energy industry as unethical. Others may act due to monetary incentives. Among their calculus is how dependent the country is on these companies and how deep the financial pockets are within the energy sector. A ransomware attack can result in a very fast payment in the millions.
Types of companies most at risk from cyber security threats in the energy sector
Cyber security threats impact all types of businesses within the energy industry with oil/gas companies among some of the highest targets.
The physical part of the electric grid was built decades ago and not designed for today's technology. Equipping them with the necessary security tools to keep the grid safe, including updated operating systems and software, is expensive and difficult. Remote substations are vulnerable to physical access from threat actors and despite all the regulation surrounding the industry, individual utilities work independently; it is challenging to keep up with the constant changes, especially with overall staff shortages.
The Harvard Business Review stated the gas and oil industry is in need of a new structure in its energy sector security approach. It recommends more attention be focused on the security of operational technology (OT) assets and the addition of IIoT and artificial intelligence (AI) technology across the industry.
Government action against cyber security threats in the energy sector
Recognizing the cyber security threats in the energy sector, the Biden Administration issued an executive order to address and improve the country's cyber security, both for IT and OT. Building from that executive order, the Department of Energy launched the Electricity Subsector Industrial Control Systems (ICS) Cybersecurity Initiative, a 100-day plan to offer better protection to the electric grid, and introduced upgrades to the Cybersecurity Capability Maturity Model tool to strengthen protections for energy sector security.
Last year, a ransomware attack brought empty gas pumps to the East Coast. The next cyber attack could put large sections of the country in the dark for undisclosed periods of time.
Learn more about how utility technology solutions can deliver resources efficiently and cost-effectively and help protect against cyber security threats in the energy sector.
The author of this content is a paid contributor for Verizon.