As online threats multiply, the bad guys learn how their old tricks can be used in new sectors. The same tactics they use successfully on one business can be applied to businesses of all different kinds.
By now we’re used to hearing stories of brands or people we know falling victim to some kind of cyberattack. Whether a friend’s email password was hacked or a large banking institution or healthcare organization experienced a data breach, these things tend to happen as a result of phishing attacks, ransomware, or other malicious computer tactics.
With so much attention elsewhere (and on our personal cybersecurity), we tend not to think about what could happen if hackers took a special interest in the energy sector and successfully controlled that infrastructure. They could steal power or redirect it, send entire regions back to the Dark Ages, or weaponize their access to cause serious damage to another territory.
A cyberattack on Ukraine’s power system in 2015 and 2016 caused power outages affecting hundreds of thousands of people. While energy cybersecurity is likely not far from the minds of national security leaders, this interest and intrigue hasn’t trickled down to the mainstream yet. This should be cause for concern.
There are increasing reports of attempted attacks on different European countries’ electrical grids, and a number of companies that manage nuclear facilities in the US report being compromised by hackers. On some level, this is business as usual – hackers exist to hack, and they’re only going to flex their skills as far and long as it’s interesting to them.
But a country’s energy assets are uniquely vulnerable to cyberattack. Though they are usually off-the-beaten path targets for cybercriminals, the stakes seem far higher for a power plant over a bank account. It’s clear that cybersecurity within the energy industry calls for education and clear best practices.
Here’s what energy businesses need to know to keep their networks safe nowadays.
Whether they are full-time cybersecurity-focused staff or external IT auditors brought in for a short-term engagement, get some expert firepower on your side. These are the domain experts who possess all the niche knowledge necessary to up your cybersecurity game at the organization level.
Cybersecurity staff can help keep you protected on a rolling and recurring basis, while the outsourced help can help you get your cybersecurity in ship-shape compliance as quickly as your operations allow – it happens most quickly with some buy-in from people near the top of the hierarchy.
Make sure your existing staff is expecting the new experts and has proper time to interface with them. Let them gain some familiarity with each other, especially if the worker’s job description is closely related to cybersecurity operations.
At the same time, make sure your staff are primed to learn from the experts and generally do what these people advise. That’s the entire value in bringing them on in the first place – they’re processing a lot of niche information through their own specialized knowledge of cybersecurity in order to design new best practices for the organization.
An expert’s knowledge is not only about protecting the company’s infrastructure, but about preventing any of the data stored there out of the hands of cybercriminals.
Pursue compliance or get a formal audit
Different companies might pursue different levels of compliance based on their needs, but every company processing credit card information online needs to achieve payment card industry (PCI) compliance. PCI compliance (and many comparable standards) are about establishing a sufficiently strong baseline of cybersecurity methodology within a business’s processes in order to keep them safe.
There are self-assessments available for free or comparably cheap, or you might hire professional auditors in order to get expertly informed results right away. In either case, compliance is only possible if an organization reckons with certain cybersecurity realities.
Make top-down education a priority
Workers within an organization aren’t necessarily going to start talking about or learning about cybersecurity topics until someone makes it known that everyone’s going to be taking it more seriously. Enable knowledge transfer from those who know all about cybersecurity – a member of your staff or a guest for a day – to raise the waterline on how much your employees know about it.
Make experienced managers into mentors and educators ready to talk to people about these topics when they have questions. From the board of directors to the C-suite to managers and employees, get everyone on the same page about the value of a strong working cybersecurity knowledge.
They should know about things like spear-phishing emails and to be careful about emails from unfamiliar sources (and to definitely not open attachments from those addresses). Whatever form it takes, get your employees talking cybersecurity and building familiarity with its principles.
Brush up on your password hygiene and choose new ones carefully
Don’t use the same password you used for chat apps years ago. You’ve got to be more mindful than that to stay alive online.
Passwords are the locks of the internet, and knowing the password is the key. The longer the password is, the harder it is to steal completely. That’s why it’s good for passwords to important accounts (like those with administrator privileges) to be 10 characters or longer, and those passwords definitely shouldn’t be re-used across accounts. Make sure passwords contain a mix of uppercase and lowercase letters, numbers, and valid symbols.
Members of the same network should furthermore not be sharing account passwords with each other. It’s extremely difficult (if not impossible) to share this kind of information in a compliant fashion, so it’s better off not happening at all.
Simulate disasters and how you would respond to them
Just as you had fire drills in school to prepare for things going wrong, your energy business should find a productive way to run its own fire drills for when cybersecurity goes sideways.
What is the exact nature of the threat? Were we compliant with industry standards? Who needs to know about this (simulated) incident, and what do we need to tell them? Running simulations in advance with this level of mindfulness and attention to detail will make it much simpler to do the real work in the wake of a genuine, unimagined cyberattack.
Today the world’s largest hacking threats come from Russia, China, Iran, and North Korea. Each of these groups is capable of operations designed to disrupt the functions of the US energy sector. Countries with competitive oil supplies might be motivated to disrupt American production and exporting. Vulnerabilities in the energy sector suggest cybercriminals might look there to gain control of new assets. The criminal group DragonFly is perhaps the most notorious here – as a loud warning to any energy organization, DragonFly probably already done this.
DragonFly gained cybersecurity notoriety for targeting energy sector businesses around Europe and Asia for attack. The group’s big idea was to gather industry-wide intelligence on the operational and control systems in the sector, and once they get enough of that information, the group potentially has the ability to sabotage or gain control of sensitive network-connected energy systems.