Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/29/2016
07:30 AM
Alex Campbell
Alex Campbell
Commentary
100%
0%

Critical Infrastructure: The Next Cyber-Attack Target

Power and utilities companies need a risk-centric cybersecurity approach to face coming threats.

The way we think about cyber attacks changed in December 2015, when Ukraine experienced the first recorded power outage caused by a cyber attack. It didn’t last long—between one and six hours, depending on the area—but it showed the government, industry, and the public how these attacks could affect the physical world. It’s not just personal information and other sensitive data that’s at stake. Critical infrastructure is now under threat. 

Advances in information technology and operational technology carry new benefits and risks for many companies. Technological developments not only allow for more efficient management of industrial and process control systems but also increase the attack surface of the organization, making them more vulnerable to cyber threats.

The New Mandate
In May 2016, the G7 Energy Ministers released a joint statement that announced their commitment to “advancing resilient energy systems including electricity, gas, and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions.”

This is the latest in a series of movements around the world to protect data and critical infrastructure. The most immediate actions confronting organizations operating in the EU are the General Data Protection Regulation, which contains some of the most stringent privacy requirements anywhere in the world, and the Network and Information Security Directive (NISD). The NISD will have a significant impact on companies operating critical infrastructure across all major sectors, including the energy sector.

European Commission Vice-President Andrus Ansip described how the NISD will require “companies in critical sectors—such as energy, transport, banking, and healthto adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities, which will, in turn, be able to carry out better capacity-building with greater cross-border cooperation inside the EU. It also obliges online market places, cloud computing services, and search engines to take similar security steps.” (The Digital Single Market is an EU initiative that aims to remove existing online barriers for goods and services across the EU.)

Once the NISD is adopted (expected in September 2016), EU member states will have 21 months to integrate the ruling into their national laws, and then six additional months to identify operators of essential services that it affects.

Moving Beyond Protection
The cyber-threat landscape is continuously evolving, with new attack techniques discovered on a daily basis. Organizations across all sectors, including those in the power and utilities market undertaking large technology transformation programs, face an enormous challenge.

On one hand, they have no choice but to embrace the new hyper-connected digital world and all the benefits that new communication channels and platforms bring to the business. But on the other, they must defend against advanced cyber threats as their risk increases exponentially.

The energy sector’s long-held belief that all cyber breaches can be prevented is no longer valid. The incident in Ukraine proved that the era of prevention is over. A new wave of targeted cyber attacks could prove too sophisticated even for the most-advanced cybersecurity defense programs.

Preventative controls such as firewalls, access management, and antivirus systems remain an important part of any cybersecurity program, but investment in monitoring capabilities, threat intelligence, and incident management is needed now. Utilities must be able to identify when an attack is taking place and be ready to set response mechanisms in motion when a breach occurs. They must build an active defense.

It sounds easy enough but, in reality, the energy sector lags behind most other sectors. EY’s most recent Global Information Security Survey revealed that 42% of power and utilities companies say it’s unlikely they would be able to detect a sophisticated attack. The best place to start is by understanding what assets they need to protect and how attacks could play out. This will, in turn, drive the development and implementation of targeted countermeasures.

The protection of critical infrastructure against advanced cyber threats in an increasingly interconnected and borderless digital world is one of the most pressing challenges that energy companies face today. Cybersecurity doesn’t inhibit developments in the digital world; rather, it helps make the digital world fully operational and sustainable. And a tailored and risk-centric approach to cybersecurity will adjust the balance of the digital world back toward sustainability and safety.

After all, it’s just a matter of time before the next attack strikes.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.


Related Content:

Alex Campbell is a director in the EY Cybersecurity Advisory Centre. He has over 17 years' experience in cybersecurity and has worked extensively in the energy sector. Over that period, Alex has been advising both governments and industry on the protection of critical ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11937
PUBLISHED: 2020-08-06
In whoopsie, parse_report() from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1.
CVE-2020-15114
PUBLISHED: 2020-08-06
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting i...
CVE-2020-15136
PUBLISHED: 2020-08-06
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints func...
CVE-2020-15701
PUBLISHED: 2020-08-06
An unhandled exception in check_ignored() in apport/report.py can be exploited by a local attacker to cause a denial of service. If the mtime attribute is a string value in apport-ignore.xml, it will trigger an unhandled exception, resulting in a crash. Fixed in 2.20.1-0ubuntu2.24, 2.20.9-0ubuntu7.1...
CVE-2020-15702
PUBLISHED: 2020-08-06
TOCTOU Race Condition vulnerability in apport allows a local attacker to escalate privileges and execute arbitrary code. An attacker may exit the crashed process and exploit PID recycling to spawn a root process with the same PID as the crashed process, which can then be used to escalate privileges....