United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.

Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

According to the X-Force Threat Intelligence Index 2024, energy companies, which include water facilities, ranked fourth in terms of industries attacked, accounting for 11.1% of all attacks. In the energy sector, malware was the most common type of attack (43%), with ransomware coming in second. North America had the second-greatest number of worldwide attacks, with 22%, behind Europe, which experienced 43% of the cases.

Water facilities are at increased risk of cyberattack

The concern became heightened after numerous attacks were made on water facilities. However, drinking water has not been compromised in any attack. One of the Municipal Water Authority of Aliquippa’s booster stations in Pennsylvania was the target of an attack by an Iranian-backed cyber group in October 2023. According to an alert by the Cybersecurity Advisory on December 1, 2023, IRGC cyber actors accessed multiple U.S.-based wastewater system facilities beginning November 22, 2023. Threat actors accessed those facilities, which operate Unitronics Vision Series PLCs, through compromised passwords.

In a recent Wall Street Journal article, Frank Ury, president of the board of the Santa Margarita Water District in southern California, said, “A main concern is that hackers are lying dormant in water facilities’ systems” and that a coordinated attack could target multiple areas at the same time to increase the overall damages and prevent appropriate warnings. Like many water facilities, the Santa Margarita Water District does not have a Chief Information Security Officer. Additionally, Ury shared that only a small portion (15%) of the facilities’ technology budget goes to cybersecurity.

Concerns prompt federal government action

With the heightened focus on water facilities, CISA released a specific Incident Response Guide for the wastewater sector in January 2024, indicating potential cybersecurity solutions and variable cyber maturity levels. The IRG provides information about federal roles, resources and responsibilities related to each stage of the cyber incident response. Operators can use this guide to help establish baseline standards and develop stronger incident response plans.

Government officials have also been communicating with states regarding the risk to this industry. According to a March 2024 letter from EPA Administrator Michael Regan and National Security Adviser Jake Sullivan to all state governors, many water facilities do not have even basic cybersecurity precautions, such as resetting default passwords or updating software to address known vulnerabilities.

Because proper cybersecurity can mean the difference between business as usual and a disruptive attack, the letter requested governors to assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed and exercise plans to prepare for, respond to and recover from a cyber incident.

In April 2024, Representatives Rick Crawford (R., Ark.) and John Duarte (R., Cal.) proposed a bill creating the Water Risk and Resilience Organization (WRRO), a governing body to develop cybersecurity mandates for water systems. The goal of the WRRO is to work with the EPA to develop and enforce cybersecurity requirements for drinking and wastewater systems.

“Foreign adversaries, such as Russia and China, have utilized cyberattacks to target critical infrastructure such as water systems. This bill is a more proactive approach to safeguarding our drinking and wastewater from these types of attacks. These protections are vital at a time where cyber threats are constant and technology is evolving quickly,” Rep. Crawford said in the announcement.

The post Water facilities warned to improve cybersecurity appeared first on Security Intelligence.

Critical infrastructure is under attack in almost every country, but especially in the United Kingdom. The UK was the most attacked country in Europe, which is already the region most impacted by cyber incidents. The energy industry is taking the brunt of those cyberattacks, according to IBM’s X-Force Threat Intelligence Index 2024.

The energy sector is a favorite target for threat actors. The complexity of systems and the reliance on legacy OT systems make them easy prey. Because of the critical nature of these systems, threat actors know that ransoms will be paid to keep downtime to a minimum.

A changing threat landscape

Ransomware is the top threat to the UK’s critical infrastructure, according to the National Cyber Security Centre (NCSC). While some companies are hit with malware attacks directly, there is increasing risk to the OT supply chain, as suppliers and smaller companies that support energy and utilities are more likely to be victims of a cyberattack. These suppliers often lack good cybersecurity programs, making them an easy target for infiltrating larger critical infrastructure organizations.

The war in Ukraine has elevated the risk to the UK’s energy industry. The conflict has emboldened state-related threat actors, and the NCSC warned that the most significant threat to the critical infrastructure is malware launched by nation-state groups. The goal of these threat actors is disruption of operation, which can have a severe impact on the populations that critical infrastructure serves.

Why the UK is Europe’s top target

The UK is the headquarters of several of the world’s biggest energy companies and is considered a major operations point for many more. These companies include:

• British Petroleum (BP)
• Royal Dutch Shell
• Chevron
• TotalEnergies
• NationalGrid
• Drax Group
• Energy One.

An attack on any of these companies could have a national or global impact. For example, when Australian company Energy One was hit with a cyberattack last year, it also impacted systems across the UK. NationalGrid has reported several near misses — cyberattacks that could have done serious damage to the electric grid, but either cyber criminals missed their mark or the cybersecurity systems did their job to keep the lights on in the UK.

However, threat actors are busy. UK intelligence agencies have discovered active forums and dark web sites sharing information on how to access organizations across the energy and utilities industry. While some are looking at how to get into corporate systems, a growing number of cyber criminals are more interested in accessing the OT systems of the energy sector.

How OT impacts cybersecurity

OT presents a different cybersecurity challenge from IT systems. Traditionally, most OT systems across the energy industry were stand-alone, unconnected from the internet and other systems. However, as infrastructure grows more complex, vulnerabilities are increasing and adding new threat layers —  particularly in the software supply chain. Adding to the problem are the legacy systems in OT, with firmware that can’t be updated or hardware that can’t be replaced without reducing efficiency.

As a result, this sets up a catch-22 for the energy industry: How do you continue to use legacy systems while cybersecurity threats against the energy sector are on the rise?

It starts with knowing your exposure, according to the IBM report. Implementing zero trust and least privilege frameworks will limit access and misuse of credentials. But chances are there are credentials already available on the dark web, so it is necessary to use dark web capabilities to find credentials at risk, identify leaked identities and check social media networks sharing unauthorized information.

Most importantly, the energy industry needs to prioritize cybersecurity across critical systems. Threat actors will continue to take advantage of weak OT systems and an uncertain global outlook, especially as war rages in Europe. Nation-state actors want to take down the critical infrastructure in the countries they see as enemies, and as the UK is home to many of the world’s largest and most important energy companies, it will remain at high risk.

The post The UK energy sector faces an expanding OT threat landscape appeared first on Security Intelligence.

A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.

Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.

2023 industry recap: Largest third-party breaches in the energy sector

The energy sector faced significant challenges in 2023, marked by a notable rise in third-party data breaches. These incidents did more than just leak sensitive information — they also cast doubt on the industry’s security protocols. The breaches varied, but they resulted in financial losses, damaged reputations and eroded customer confidence.

Some of the key findings in this report included:

• There were 264 reported breaches in the energy sector linked to third-party issues
• All top 10 U.S. energy companies were included in confirmed third-party breaches
• The MOVEit vulnerability was especially prevalent in the last six months, affecting numerous global energy companies
• 33% of energy companies scored a C or lower in security, indicating a heightened breach risk.

This surge in breaches is prompting the sector to strengthen its security measures, potentially leading to stronger defenses against future incidents.

What’s causing the rise in third-party breaches?

When focused on expansion, energy companies often engage multiple third-party vendors for specialized services. These external partners, ranging from software to logistics providers, bring their unique security configurations to the table.

While these collaborations offer several benefits, they also open up new security loopholes. A compromised vendor system can act as a gateway for cyber criminals to penetrate a partner’s data network.

Another key factor in the rising incidence of cyber breaches is the energy sector’s push towards digitalization. The integration of technologies such as IoT devices, cloud computing and machine learning offers numerous advantages but also expands the attack surface.

As numerous energy companies prioritize growth, maintaining a thorough understanding of their supply chain’s security often takes a backseat. This shortfall in oversight can leave critical weak points undetected, posing a challenge in preemptively addressing vulnerabilities. These overlooked areas can become prime targets for cyber attackers looking to exploit these security gaps.

What are the implications for critical infrastructure organizations?

Critical infrastructure entities must be vigilant about third-party breaches, as these incidents risk not only financial stability but also operational effectiveness and their public image.

Financial ramifications

The economic fallout from data breaches is substantial. The expenses can range from immediate outlays for detecting and fixing the breach to regulatory penalties and possible legal actions from those impacted. A recent report by IBM on the cost of data breaches in 2023 reveals that the average financial hit from these types of incidents last year reached $4.45 million, marking a 15% rise in the past three years.

Effects on operations

A breach originating from a third party can severely disrupt operational processes. This might lead to periods of inactivity and decreased productivity. In extreme cases, organizations might find it necessary to completely suspend their operations to manage the situation. This halt in activity is particularly critical for organizations responsible for essential services like electricity, water and transportation, as it can lead to widespread societal effects.

Reputational damage

Apart from the financial and operational implications of third-party breaches, there are also risks to a company’s reputation. Trust is incredibly important, and when lost, it can be very hard to re-establish. This can cast doubts on the ability of an organization to protect sensitive information, which will affect its business growth in the future.

How are organizations addressing their third-party risk profile?

With the growing concern over third-party breaches, energy sector companies are not sitting idle and are implementing better security measures to safeguard against these threats. Below are some of the main tactics they’re using.

Exhaustive assessments of vendors and supplier risk management

A thorough vendor evaluation should be conducted to mitigate third-party risk. This step is essential to ensure that partners’ security protocols and practices measure up to the company standards. It includes an assessment of their security practices, such as data protection policies, incident response plans, compliance with regulations and financial standing.

Continuous auditing and monitoring of vendor systems

A vital component of third-party risk management involves the ongoing auditing and monitoring of external vendor systems and networks. This continuous oversight helps companies detect shifts in a vendor’s risk profile and identify potential threats more quickly. Utilizing real-time monitoring tools for immediate alerts on unusual activities and routine audits ensures that vendors consistently meet established security standards.

Safe data transfer methods and strategic network segmentation

In the regular course of business with third parties, safely sharing data is a critical concern. Companies are adopting secure data transfer protocols like data encryption, secure file transfer systems and strict access management.

Network segmentation is another vital strategy for diminishing third-party risk. It involves splitting the network into distinct segments, each safeguarded by specific security measures, localizing and limiting the impact of any potential breach.

Keep your third-party risk management strategies up to date

The recent increase in attacks on third-party vendors highlights the importance of constantly updating and improving third-party risk management strategies. By regularly reviewing and enhancing these strategies, companies can stay ahead of potential threats and ensure the security of their customer data.

The post Third-party breaches hit 90% of top global energy companies appeared first on Security Intelligence.

Without the U.S. energy grid, life as we know it simply grinds to a halt. Businesses can’t serve customers. Homes don’t have power. Traffic lights no longer work. We depend on the grid operating reliably each and every day for business and personal tasks. That makes it even more crucial to defend our energy grid from modern threats.

Physical threats to the energy grid

Since day one, the grid has been vulnerable from a physical perspective. Storms knocking the grid offline is common news. But Forbes reported that solar storms — when explosions occur on the sun’s surface and create solar flares from particles — pose an even bigger threat. There have been more than 100 solar storms in the past 150 years. While weather prediction technology continues to develop, the grid likely will always be vulnerable to some degree from these types of threats.

While physical threats from humans have always posed a risk to the grid, attacks have increased in recent years. According to the Department of Energy, 2022 saw an increase of 77% in physical attacks on the grid. Numerous credible threats and potential attacks have happened in recent years, including the shooting of substations in Moore County, North Carolina, which shut down power for residents.

Cybersecurity threats are an increasing concern

According to the Threat Intelligence Index report, the energy sector made up 10.7% of all cyberattacks X-Force responded to during 2022, making energy the fourth most attacked industry. In North America, energy companies suffered 20% of attacks, making energy the most attacked industry.

However, the type of attacks varied. Most attacks (40%) were started by cyber criminals exploiting a public-facing application. Both spear phishing links and external remote services made up 20% of energy sector attacks. Other types of attacks included data theft (23%), extortion (23%), ransomware (15%), BEC (15%), credential harvesting (15%) and botnet infections (19%).

The unrest resulting from Russia’s invasion of Ukraine also increased concern over cyberattacks on the energy grid, especially from the Killnet group. In early 2023, Killnet stole the personal information of over 10,000 U.S. federal agents after breaching the FBI’s database. However, energy sectors fit Killnet’s attack profile for distributed denial of service (DDoS) threats. Experts recommend partnering with a third-party DDoS mitigation provider.

Reducing vulnerabilities of the energy grid

The energy grid’s aging infrastructure and legacy technology significantly increases the risk of attacks. Forbes reported that components at the end of their life cycle increase the risk of cascading failures. By focusing on upgrading technology and equipment to modern, cloud-based technology, companies can reduce their vulnerabilities.

The post Today’s biggest threats against the energy grid appeared first on Security Intelligence.

In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023.

This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack.

Despite the overall drop in threats, however, the industry remains at risk. Consider the recent ransomware attack on Ohio-based Encino Energy, which saw 400 GB of data exposed. The oil producer says that the attack did not impact its operations. However, there’s no word on whether or not they paid the ransom.

To help organizations better navigate the coming year, we’re taking a look back at 2022. What threats were prevalent? How effective were defenses? What’s next for energy cybersecurity?

What were the top energy industry threats in 2022?

The biggest threat to energy organizations in 2022 was the exploitation of public-facing applications, accounting for 40% of all infections. Spear phishing and external remote services each accounted for 20% of cases and botnets were responsible for 19%. Ransomware and BEC both came in at 15%.

Data theft and extortion were the most commonly cited outcomes of these attacks at 23%, with credential harvesting at 15%. Regionally, North America took the top spot with 46% of all attacks, followed by Europe and Latin America at 23% and just under 5% in Asia, the Middle East and Africa.

How effective are current energy defenses?

Current energy defenses are hit or miss.

Here’s why: In cases where companies were able to detect cyber threats, they were able to take action. The Colonial Pipeline attack is a good example. After uncovering evidence of the threat, the company moved quickly to address it. But this move also meant a sudden shutdown of operations, which in turn raised fears of potential energy shortages.

It’s also worth noting that while industrial control system (ICS) attacks on energy companies were lower than expected in 2022 as companies made efforts to detect and deflect these attacks, ransomware volumes rose significantly. What’s more, attacked organizations often do not disclose whether they paid ransom demands as a solution to cybersecurity issues. This means there’s no guarantee that they resolved these threats — only temporarily silenced them.

Where are compliance regulations impacting energy cybersecurity?

Compliance in the energy sector is evolving.

In general, energy organizations are subject to guidelines and recommendations regarding cybersecurity rather than specific regulations. For example, the Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership that’s partially funded by the Department of Energy (DOE) and is managed by the Electricity Information Sharing and Analysis Center (E-ISAC). The program encourages sharing threat data across energy industry organizations to help improve overall industry protection.

There are also new federal guidelines on the horizon. As noted by Utility Dive, the new White House national cybersecurity strategy asks energy companies to build proactive rather than reactive security solutions to create “a new generation of interconnected hardware and software systems.”

While this is good news overall for the sector, it may come with some growing pains. For example, many energy companies still rely on legacy ICS and SCADA solutions to connect and manage key operational components. These solutions were never designed to interface with modern applications and services, meaning the implementation of security-by-design may require the complete removal and replacement of these systems, a process that some energy experts warn could drive up prices overall.

It’s also worth noting that the new directive does not cover all energy and utility sector businesses,  such as petroleum refining or water treatment. This means that while new legislative efforts are a good start, they do leave industry gaps.

How common is the CISO role in energy?

As of December 2021, 45% of companies in the U.S. didn’t employ a chief information security officer (CISO), even though 58% feel it’s important to have someone in this role.

Energy is in a similar position. As organizations recognize the key role of security in business operations and industry reputation, CISOs are becoming more common. However, the position is by no means universal. CISOs in the energy sector also face the ongoing challenge of fighting for a seat at the boardroom table. This can be problematic. If efforts at proactive security are not part of strategy discussions up-front, they are often far less effective overall.

Put simply, while both the number and impact of energy CISOs are rising, there’s still room for improvement.

2023: What comes next for energy?

In 2023, energy companies can expect more of the same: More ransomware, more botnets and more data exfiltration.

They should also prepare for a rise in machine learning and artificial intelligence-based attacks as these technologies become more mainstream and play a more prominent role in threat actor operations.

Regardless of the vectors themselves, however, the strategy for energy industry security success remains the same: Better tools for more visibility, underpinned by a seat at the table for CISOs to help them design, implement and manage effective security programs.

The post 2022 industry threat recap: Energy appeared first on Security Intelligence.

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity.

The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.

In reaction, the company shut down pipeline operations and IT systems. Next, they brought in FireEye’s Mandiant to conduct cyber forensics.

The event triggered panic in national security circles. After years of talk about whether a state-sponsored cyberattack could shut down major infrastructure or utilities on a massive scale, it seemed like that fear finally came true. In fact, the company was motivated by money and chose to shut down.

Still, the Colonial Pipeline attack mobilized the federal government into action. And that action is what’s still causing lingering problems.

TSA responses to Colonial Pipeline attack

In the aftermath of the attack, the Transportation Security Administration (TSA) issued two major mandatory cybersecurity directives for all U.S. pipeline operators. TSA rules had been voluntary before this. Now, violators could be fined up to $11,904 per day.

Trouble is that the TSA developed these rules without notice-and-comment rulemaking, which would have enabled pipeline companies to contribute to the crafting of rules to make them more feasible. Even Congress wasn’t notified of the rules in advance.

Some pipeline operators are now saying that not only are some rules confusing and too complex, but they might even threaten pipeline operations and safety.

Mandatory cybersecurity rules have constrained power stations for many years. However, lawmakers saw pipeline operators as a special case requiring a lighter touch. By definition, these companies operate IT and OT systems that span vast distances. Compliance with the new directives, for example, often means sending technicians to each far-flung control box and attempting to apply patches, upgrades or changes that don’t always make sense for that kind of hardware.

Struggling to comply

Pipeline operators say they are struggling to comply. While the TSA offered to help companies, the agency also appears overwhelmed. Operators have permission to find other routes to the same objectives, but the TSA has to approve those plans first. And it has become clear that the TSA is understaffed and underfunded for this level of back-and-forth.

The core problem is that TSA is not the right agency for this kind of regulation, according to University of Tulsa professor Ido Kilovaty. Its current staffing and budget are “lacking the expertise and tools needed to effectively regulate cybersecurity in the pipeline context,” he wrote.

A better choice may be the Federal Energy Regulatory Commission (FERC). This is an independent agency within the Department of Energy responsible for cybersecurity regulation of the electric power sector. Moving from TSA to FERC, in fact, has the backing of the Biden Administration.

In general, the TSA rules are overly prescriptive, dictating not only outcomes but methods. And these prescriptions may not consider the variability and complexity of affected systems.

One common complaint is that the directives don’t give enough time. The timelines are too aggressive and overly specific.

What the industry can expect from future regulations

Changes are coming. Pipeline cybersecurity regulations may remain under the TSA, but with expanded funding. Or, the government may move them to another existing agency or to a special-purpose agency yet to be created. And new rules, made in concert with the pipeline industry, are surely coming to replace the old.

It’s ironic that the rushed, overly-prescriptive, top-down directives ended up that way in the interest of time. Now, arriving at a regulatory regime that really works to keep pipelines safe is taking far longer than it could have.

The post One year after the Colonial Pipeline attack, regulation is still a problem appeared first on Security Intelligence.

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights.

This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a slight margin. Here’s a breakdown of the top five industries targeted and what businesses need to know about each one.

#1 Manufacturing

For the first time since 2016, manufacturing was the most attacked industry in 2021, targeted in 23.2% of the attacks addressed by X-Force.

Accounting for 23% of attacks, ransomware was the top attack type, exposing the heavy focus ransomware actors place on manufacturing. Server access attacks came in second place at 12%, which might represent some failed attack operations. Business email compromise (BEC) and data theft tied for third place, at 10% each.

BEC attacks often seek to take advantage of manufacturer relationships with suppliers, sub-suppliers and wholesale shipping. Threat actors redirect payments between partners to accounts under the BEC attackers’ control. Meanwhile, data theft efforts may focus on stealing sensitive intellectual property or holding data for ransom.

#2 Finance and insurance

Attackers hit finance and insurance companies in 22.4% of attacks remediated by X-Force in 2021. Compared to prior years, the financial industry’s attack rate has fallen. This suggests that financial companies are putting higher standards in place. In addition, financial services use hybrid cloud environments, which enable improved data visibility and management.

Server access breaches (14%) were found to be the top attack type on finance and insurance companies. This was followed by ransomware, misconfigurations and fraud, all coming in at 10%. Meanwhile, phishing was the most common infection vector for financial services, leading to 46% of attacks against this sector in 2021.

#3 Professional and business services

Professional services include IT providers, law firms, architects, accountants and consultants. Business services include office administration, HR, security services, travel assistance and landscaping. Professional and business services firms accounted for 12.7% of all attacks observed in 2021.

Ransomware was the top attack type for this sector, making up 32% of all attacks observed by X-Force. Server access attacks were the second-most common attack type (19%). A decrease in ransomware attacks in Q4 suggests that professional services firms are doing a better job at thwarting ransomware attacks. Vulnerability exploitation accounted for 50% of incidents, and phishing accounted for another 20% in this sector.

#4 Energy

The energy industry was the fourth most attacked in 2021, with 8.2% of all attacks observed. The X-Force report speculates that threat actors shifted their focus away from energy entities for a brief time in fear of retaliation for the ransomware attack on the Colonial Pipeline in May 2021. But attack rates appear to be rising since September.

Ransomware (25%) was the most common attack type against energy organizations in 2021. This was followed by remote access trojans (RATs), direct denial of service and BEC, all of which tied for second place (17%). Phishing was the most common attack vector, making up around 60% of attacks against the energy sector. Vulnerability exploitation made up the other 40% of incidents.

#5 Retail and wholesale

Retail and wholesale were the fifth most targeted in X-Force’s 2022 ranking. Overall, the sector faced 7.3% of all attacks. Within the sector, retail accounted for 35% and wholesale 65% of attacks. Threat actors may have focused more on wholesale groups due to their role in supply chains.

BEC, server access, data theft and credential harvesting were the top attack types on retail and wholesale last year. Ransomware and banking trojans also accounted for a large number of attacks, followed by RATs, misconfiguration and fraud. Phishing was the top infection vector for the sector, accounting for 38% of the attacks. Stolen credentials were the second most common vector at 31%. Meanwhile, vulnerability exploitation made up another 23% and brute force 8%.

Adapt and thrive

The threat landscape is constantly changing, and each industry has its unique challenges. Overall, ransomware continues to be the top threat in most sectors. As shown by the improvement in finance and insurance, efforts to strengthen digital defenses lead to concrete results against established and emerging threats.

The post Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report appeared first on Security Intelligence.

On average, the cost of a data breach rose by 10% from 2020 to 2021. The energy industry ranked fifth in data breach costs, surpassed only by the health care, financial, pharmaceutical and technology verticals, according to the 17th annual Cost of a Data Breach Report. Some energy cybersecurity measures can help reduce the cost of a data breach in a big way. For example, take a look at zero trust deployments, artificial intelligence and automation.

It’s important to better understand data security in this growing and crucial field. Take a look at some recent data breaches that affected energy and utility providers. What data security risks and challenges are unique to these sectors?

What Is a Data Breach in the Energy and Utilities Industries?

The energy sector includes oil and gas companies, alternative energy producers and suppliers and utility providers such as electric companies. Energy cybersecurity breaches and failures can have tremendous impacts. They even go beyond the cost to the companies that mine for oil or gas or provide energy to customers. After all, people rely on these services for nearly every aspect of life.

Compromised Password Leads to Gas Shortages

This type of problem joined the United States’ many other challenges in spring 2021. An attacker gained remote access to the network of a major U.S. pipeline company via an employee’s virtual private network (VPN). The VPN was not even in use at the time. However, it remained open for threat actors to use it as a gateway to the company’s main network. The attacker found the password used to access the account on a list of leaked passwords on the dark web. Experts suggest that the employee may have used the same password on another account. A threat actor then stole it from that account and shared it online.

One week after the data breach, the threat actor sent a ransom note. In response, the company shut the pipeline down. They did so on purpose because they wanted to avoid an attack on their operational technology network. After all, these are the systems that control the physical flow of gasoline.

This happened to occur at the same time as increases in COVID-19 vaccinations and car travel across the U.S. Because of this, the resulting gasoline shortage led to long lines at gas stations and high oil prices. That in turn directly affected consumers’ wallets just as many were beginning to return to work and recover financially amidst a global pandemic.

This shows the importance of educating employees on data protection and data security best practices. In particular, make sure to use unique passwords for every account.

San Francisco Utility Fined $2.7 Million

The rise in smart meters introduces new threats to utilities such as power companies. One San Francisco-based utility was saddled with a $2.7 million fine from federal security regulators for failing to protect confidential data, which included more than 30,000 pieces of information. A third-party contractor allegedly copied data from the utility’s network to its own. From there, it was hosted online without a user ID or password.

Threats of ransomware and denial-of-service attacks are also a concern for utilities that implement smart meters and store customer data on their network. That’s a big problem if that network falls out of the control of the utility.

Solar Devices Create Portal to Access the Grid

Cyber attacks and big data security concerns affect all kinds of energy companies. In 2019, the Department of Energy reports, threat actors breached the web portal firewall of a solar power utility. This caused operators to lose visibility for parts of the grid for 10 hours.

Devices such as solar photovoltaic inverters that connect to the internet to help manage the grid can become targets. In particular, attackers can take advantage if the company doesn’t update and secure their inverter software.

What Is the Cost of a Data Breach for Energy and Utilities Companies?

The Cost of a Data Breach Report, which has grown into a leading benchmark report in the cybersecurity industry, shares that the average cost of a data breach in the energy industry is $4.65 million. The good news is this figure has dropped by 27.2% since 2020 when the average cost of a data breach in the industry was up to $6.39 million.

Risks and Challenges of Data Security

Social engineering, system intrusion and web application attacks made up 98% of energy data breaches in 2021. Social engineering, or phishing, attacks were the most common, although ransomware attacks continue to be a threat for the sector.

According to the Verizon report, the following data was stolen, lost or rendered inaccessible by ransomware most often:

• Login credentials
• Internal company data
• Personal data of employees and customers.

In 98% of all cases, the threat actors were not connected with the companies in any way; only 2% of attacks were internal breaches.

There’s more good news, too. The threat of ‘hacktivism’, threat actors who operate because of causes such as environmentalism and sustainability, is on a steep decline. According to the IBM X-Force Threat Intelligence Index, these attacks dropped by 95% between 2015 and 2019. Of course, oil and gas companies could be the primary targets of such attacks. So, their decline frees up energy cybersecurity departments to focus their budget and attention on other threats.

The rise of employees working from home and accessing networks remotely also creates a growing threat. The IBM report discovered that the cost of a data breach rose by an average of $1.07 million when remote work was a factor. In situations where more than 50% of the workforce was remote, it took IT security experts an average of 58 days longer to detect and contain threats.

Taking proactive steps toward employee education regarding cybersecurity best practices can help mitigate risks. Make sure your people know how to reduce the risk of compromised credentials, which were responsible for 20% of all attacks, according to the report. On top of that, train them to look out for the signs of social engineering and phishing.

The post Report: Cost of a Data Breach in Energy and Utilities appeared first on Security Intelligence.

Ransomware is evolving. How long until it takes down operational technology?

In May 2021, Colonial Pipeline, one of the largest fuel pipelines in the United States, faced a ransomware attack. The company, which transports more than 100 million gallons of gasoline and other fuel daily from Houston to the New York Harbor, shut down work for several days. It also showed how open our energy infrastructure is to cyber attacks. More and more, we rely on tech to run critical systems and operations. So, protecting systems and networks is more crucial than ever. See how attacks in these sectors are growing and what organizations can do to bolster their protections against bad actors. Check out our top news from the world of energy and utility security so far in 2021.

Top Energy & Utility Insights 

7-Minute Read 🕒

Shedding Light on the DarkSide Ransomware Attack

As ransomware evolves, there’s growing concern about the potential for it to spread to operational zones and upstream to the overall supply chain. After all, that could cause widespread damage. In fact, IBM Security X-Force data found that ransomware attacks were the most common threat to organizations that use operational technology (OT) in 2020. Why? Threat actors may find these to be attractive for ransomware attacks. After all, they face costly downtime and can impact a wider ecosystem and individual consumers. Look at the growing threat of groups like DarkSide, the gang allegedly behind the Colonial Pipeline attack. See how a zero trust approach paired with other tactics can help energy and utility groups reduce their ransomware risk.

3-Minute Read 🕒

Poison in the Water: The Physical Repercussions of IoT Security Threats

When the water treatment plant in Oldsmar, Florida was breached earlier this year, a frightening potential problem suddenly came true: an Internet of things (IoT) incident had moved into the physical world. The attacker changed the amount of sodium hydroxide in the public water supply from 100 parts per million to 11,000 — what could be a dangerous level of lye. If consumed, the water could have caused loss of vision, pain and shock, among other symptoms. Luckily, the attack was stopped and the public wasn’t harmed. But it brought to light once again that the rise of IoT devices comes with risks. Read this article to find out ways you can help protect your organization against cyber-physical attacks.

3-Minute Read 🕒

A New Directive for Pipeline Operators Puts Cybersecurity in the Spotlight

Cyberattacks against critical infrastructure are increasing. In response to the disruptive and destructive nature of these attacks, the U.S. federal government released a new DHS/TSA Security Directive, “Security Directive Pipeline-2021-01, Enhancing Pipeline Cybersecurity,” and warned critical infrastructure companies to step up their defenses. Find out more about the directive’s broad set of requirements for owners and operators and its three critical actions.

5-Minute Read 🕒

It’s an Operational Technology World, and Attackers Are Living in It

The IBM Think 2021 virtual conference in May featured a panel by Tenable Vice President of Operational Technology Security Marty Edwards and X-Force Red Hacking Chief Technology Officer Steve Ocepek. Before they delivered their address, Edwards and Ocepek sat down for an interview. They covered the threat landscape of OT, the various attack paths against OT, vulnerabilities that are enabling attackers to succeed and how to reduce the risk of an OT compromise. Read this article to find out what they had to say.

7-Minute Read 🕒

Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy

IBM Security’s annual X-Force Threat Intelligence Index gathers insights about the topmost targeted industries every year. This year’s index showed energy was one of three industries at the top of a list of targeted sectors. Roughly 35% of attacks on the energy industry were attempted data theft and leaks. With 11.1% of attacks on the top 10 industries in 2020, energy ranked as the third most attacked industry, up from ninth place the year prior. Server access attacks on the energy sector hit hard in 2020, too. The industry came in fourth place after health care for the highest number of such attacks. Read the article to find out more.

More on the Status of Energy & Utility IT Security

In September, Vanguard reported that the office of the National Security Adviser will commence a three-month Cyber Security Sensitization outreach across seven at-risk sectors of the nation’s economy, including the energy sector.

Also in September, The Guardian reported that a quarter of cyber incidents reported to Australian security officials over the past year have targeted critical infrastructure and essential services, including health care, food distribution and energy.

Finally, IT for All published a report on the pros and cons of IoT for energy and utilities.

The post Roundup: 2021 Energy & Utility Data Breaches and Defenses in the News appeared first on Security Intelligence.

Contributed to this research: Adam Laurie and Sameer Koranne.

Given the accelerating rise in operational technology (OT) threats, this blog will address some of the most common threats IBM Security X-Force is observing against organizations with OT networks, including ransomware and vulnerability exploitation. IBM will also highlight several measures that can enhance security for OT networks based on insights gained from the X-Force Red penetration testing team and X-Force incident response’s experience assisting OT clients with security incidents. These include a focus on data historian and network architecture, such as domain controllers.

OT is hardware and software that controls industrial processes, such as heavy manufacturing equipment, robotics, oil pipeline or chemical flows, electric utilities and water and the functionality of transportation vehicles.

Typically, OT networks are segregated from information technology (IT) networks at organizations that have both. Email, customer transactions, human resources databases and other IT are separated from technologies that control physical processes. Even so, typical threats against IT networks have the potential to affect OT networks, particularly if segmentation is not effective or engineers decide to shut down the OT network as a precaution after an attack on the IT network, such as ransomware.

Threats to OT networks are arguably more dangerous than threats to IT networks because of the physical outcomes that can result, such as passenger vehicle malfunctions, explosions, fires and potential loss of life. A cyberattack with these outcomes becomes, in effect, a physical weapon.

Ransomware Prevails

Of all the attack types X-Force observes against OT organizations, ransomware is the leader. In fact, nearly one-third of all attacks X-Force has observed against organizations with OT networks in 2021 have been ransomware — a significantly higher percentage than any other attack type.

In many cases, ransomware attacks affect only the IT portion of a network. Yet, these IT infections can still have tremendous consequences for operations governed by OT networks. Research by X-Force and Dragos in late 2020 found that 56% of ransomware attacks on organizations with OT networks affected operational functionality in cases where the scope of impact was known. In many of these cases, OT networks were probably shut down as a precaution to prevent ransomware from spreading to OT networks or negatively affecting operations. This was the case in the high-impact ransomware attack on Colonial Pipeline that resulted in gasoline shortages in several U.S. states in May 2021.

In other cases, however, ransomware does make its way over to the OT portion of the network. Ryuk is the ransomware strain most commonly observed by IBM as attacking the OT network.

Ryuk Ransomware on OT Networks

In the fall of 2019, Ryuk ransomware actors hit at least five oil and gas organizations in what appeared to be part of a targeted campaign aimed at OT — specifically oil and gas — entities.  At least one of these organizations was a natural gas compression facility at a U.S. pipeline operator as reported by the U.S. Coast Guard, according to a report by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and analysis by Dragos.

A Maritime Safety Information Bulletin issued by the Coast Guard on Dec. 16, 2019, indicated that segregation between the pipeline organization’s IT and OT network was insufficient to prevent the attacker from reaching the OT environment. The report stated that after infecting the organization’s IT network, “the virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.” The bulletin further indicated that the attack disrupted camera and physical access control systems and resulted in the loss of “critical process control monitoring systems.”

X-Force Incident Response has similarly observed Ryuk affiliates cross over into OT networks in attack remediation and investigations, using methods similar to those observed by the Coast Guard.

In February 2021, a report by the French government noted that newer Ryuk variants have worm-like capabilities and can replicate autonomously across an infected network. X-Force malware analysis of a Ryuk malware sample in June 2021 substantiated these findings, similarly revealing these worm-like capabilities in newer Ryuk variants. X-Force analysis of Ryuk malware showed that samples were packed in loaders similar to those used in Emotet and Trickbot campaigns, and Emotet has been known to worm into OT networks in the past.

It is possible that the new worm-like characteristics of recent Ryuk ransomware samples will give the group a higher likelihood of worming into OT networks in future ransomware operations, particularly if robust segmentation is not in place.

Vulnerability Exploitation

X-Force Incident Response data reveals that, in 2021, vulnerability exploitation is the primary method attackers are using to gain unauthorized access to organizations with OT networks. In fact, vulnerability exploitation has led to a staggering 89% of incidents X-Force has observed at organizations with OT networks so far this year, where the initial infection vector is known.

In 2021, X-Force has also observed threat actors exploit CVE-2019-19781 — a Citrix server path traversal flaw — to access networks at OT organizations. This was the most exploited vulnerability X-Force observed in 2020. The ease with which threat actors have been able to exploit this Citrix vulnerability and the level of access it provides to critical servers make it an entry point of choice for multiple attackers. We strongly recommend remediating this vulnerability if your organization has not done so already.

Zero-Day and Supply Chain Risk

In some cases, OT organizations became victims of the Kaseya-linked ransomware attack, where exploitation of a zero-day vulnerability and a supply chain-esque operation became the initial infection vectors. In the Kaseya case, Sodinokibi/REvil ransomware operators exploited a zero-day vulnerability in Kaseya’s VSA software (now known as CVE-2021-30116) to deliver a ransomware attack. This attack leveraged attack techniques that are more common to advanced nation-state actors — namely, exploitation of a zero-day and a supply-chain propagation technique — which are uniquely difficult to defend against.

In a separate supply chain attack, multiple OT organizations reached out to X-Force for assistance in determining the extent to which the SolarWinds supply chain attack may have affected them. For some of the OT organizations impacted by the SolarWinds attack, original equipment manufacturers (OEMs) were the entry path, underscoring how attackers seek to exploit relationships of trust built between vendors and clients. The OEMs had access to the OT client’s network to perform remote maintenance — and were using compromised SolarWinds software across those remote connections.

Examples such as these highlight the significant risk to OT organizations from supply chain operations.

Defending OT Networks: Don’t Forget Data Historian

When it comes to OT network security, X-Force Red penetration testers have indicated that data historian often provides a reliable pathway into an OT network. Compromising data historian often can create opportunities to compromise the OT network. Thus, security teams should be careful not to overlook data historian when identifying and shoring up potential weak points in their OT network.

A data historian is a type of time-series database designed to efficiently collect and store process data from industrial automation systems. It is used widely for OT networks, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. Data historian was originally created for — and continues to be used most commonly for — identifying, diagnosing and remediating problems that might lead to costly downtime.

Adversaries that are able to gain access to data historian then have access to data, analysis and information on control systems at that organization — useful for reconnaissance and further attack planning. In addition, data historian can provide a pathway from the IT network into the OT network, if the data historian is dual-homed. Further, data historian tends to have extensive connections throughout OT networks, which can give an attacker an array of potential options for moving throughout an OT environment.

OT organizations can better secure data historian by creating historian security groups, carefully defining who has access to these groups, closely monitoring accounts with access to ensure they are not stolen or abused and implementing strong authentication measures. Organizations can also use electronic signatures and electronic records to demand authentication whenever a change is made to data or configurations in data historian. In addition, placing the historian in a demilitarized zone (DMZ) can help segregate it from the OT network while still providing access from the IT network.

It is not uncommon to find companies creating and using ‘enterprise’ data historians hosted within the IT infrastructure. With aggressive cloud adoption strategies and an increase in Industrial Internet of Things (IIoT) devices, companies have started implementing or moving these enterprise historians to cloud environments. Typically, these historians aggregate the data from site- and plant-specific data historians. This approach provides scalability and seamless integration with cloud-based storage and applications for secure information sharing, where needed. However, companies must ensure that they store the data safely without creating an opening for an attack.

MITRE has provided several additional risk mitigation measures to help secure data historian servers/databases, and IBM recommends reviewing those and implementing as many as possible.

Additional Measures for Securing OT Networks

Securing OT networks is more critical than ever. OT network defenders can implement a range of measures to decrease the chances of encountering a cyber incident on their OT network. Some of these measures are aimed at decreasing the risk of a ransomware attack — including Ryuk attacks — while others can assist in preventing a range of different attack types with the potential to weaponize OT networks.

• Strictly segregate OT and enterprise IT networks, ideally creating an industrial DMZ (iDMZ) as advised in ISA/IEC 62443 guidance. Ensure any dependencies between the OT and IT environment are known and well-documented. Reduce the dependencies between different operational environments using micro-segmentation. The networks and systems should be architected in such a way that it is possible to physically unplug or isolate an environment or system from other environments and maintain full operations. Disable internet access from OT domain controllers, servers and workstations that do not need public access; ideally, internet-connected services should be located in the iDMZ.
• Filter network traffic to enhance the defense of OT and ICS networks, prohibiting ICS protocols from traversing the IT network, prohibiting communications with known malicious IP addresses, and monitoring communications between the OT and IT environments.
• Decrease opportunities for domain administrator account compromise by using only the absolute minimum number of domain administrator accounts, locking down domain administrator accounts on domain controllers to prevent credential harvesting and removing local administrator rights for all accounts.
• Ensure robust security monitoring capabilities through the implementation of an OT security operations center (OT SOC) that collects and correlates the security information from OT and IT networks using an OT intrusion detection system (IDS), application logs collected and stored in a SIEM solution or a managed detection and response (MDR) service.
• Include impact to OT in a ransomware emergency response plan. CISA recommends considering the full range of impacts to OT that a cyberattack might have, including loss of view, loss of control and loss of safety. Carefully distinguish between events requiring a shutdown of the operational environment and those that do not.
• Defend against phishing attacks — a common infection vector for Ryuk ransomware — by implementing an email security software solution, including banners on all external emails, sharing with employees real-world phishing techniques and their ultimate effect, disabling macros as default and using behavioral-based antimalware solutions to detect commodity malware strains such as TrickBot, QakBot and Emotet.
• Invest in incident response preparedness and training for your team. X-Force has observed that preparedness is a significant differentiator between organizations that recover relatively quickly and easily from ransomware attacks and those that do not. Creating and drilling an incident response plan can assist your team in developing the muscle memory to respond appropriately in the critical moment. Additionally, have site-specific or OT security cyber incident response plans and preparedness. Every OT environment is unique, with different products and systems. As OT organizations plan for independent emergency response plans, they should seek to craft a site-specific incident response plan.
• Test your security controls using safe penetration testing. Penetration testing of the live productive OT environment is not recommended. However, safe opportunities should be explored, such as during factory acceptance tests (FAT), site acceptance tests (SAT) or turnarounds (maintenance).
• Leverage dark web analysis or Shodan to monitor for compromised assets. Maintaining awareness of any compromised devices on your network — or information attackers could use to compromise your network — can assist in taking proactive measures as necessary. Shodan can assist in identifying devices discoverable by conducting scans from the internet and routine monitoring of dark web marketplaces for information about your organization can assist in staying ahead of potential threat actors.

The post The Weaponization of Operational Technology appeared first on Security Intelligence.