Resiliency: The Achilles Heel of Cybersecurity in the Energy Sector

By: Tom Kellermann

CEO, Strategic Cyber Ventures

In the energy sector, physical security efforts have exacerbated cybersecurity efforts. The wide spread deployment of IOT from sensors to surveillance cameras has opened up Pandora’s box.  The energy sectors exposure to cyber attack began when she embraced resiliency and business continuity in the fall of 2003 as the sector’s history of vulnerability began with the Blackout of August 2003.  The sector responded to that blackout by following the financial sector’s resiliency model to ensure business continuity.  In their effort to defend against kinetic events like blackouts they exacerbated their cybersecurity posture.  The increase of remote access and Internet facing SCADA/ICS systems opened up a proverbial “Pandora’s box” of increased risks and threats to these systems.

The situational awareness of our cyber adversaries has been greatly enhanced sometime using nothing more than publicly available tools.   Now targeting of exposed SCADA systems can be achieved via Google-fu or Shodan to identify embedded systems that are exposed to the Internet.   In addition there is a disturbing trend that is starting to pop up on Pastebin whose posts expose SCADA/ICS devices, their IP addresses, and other identifying information for sale. Not only are these systems increasingly connected and accessible: it’s increasingly easy to find them.

The risks of accessibility and discoverability are exacerbated by the advent governments no longer have a monopoly on cyber weapons of war: in some cases they’ve lost control of the weapons they built only to see them fall into the hands of criminals and others.  The arms bazaars of Eastern Europe and South America have now distributed asymmetric capabilities to non-state actors.   In 2017 the non-state actor community will begin to attack the energy sector for political, theological and financial purposes.

It is imperative that the energy sector learn from the gaps in cybersecurity which exist in the financial and government sectors. An over-reliance on perimeter defenses and encryption will not manage the exposures or the targeted attacks employed by our adversaries. I believe that deception grids buttressed by the SANS Twenty Critical Security Controls represent a good starting point to begin to allow offense to inform defense. The energy sector is embracing SCADA/ICS and smart grid technologies. These technologies allow for greater resiliency and efficiency but they do manifest greater operational and systemic risk of integrity attacks.   In 2017 consider – What will be resilient for whom?


Leave a Reply

Your email address will not be published. Required fields are marked *