Cybersecurity: Defending against a growing menace
Attacks on energy companies and infrastructure are on the up but the industry is fighting back.
The issue of cyber security made international headlines recently when hackers launched an attack on Sony Pictures that led the Hollywood studio to cancel the release of satirical comedy The Interview, which involves a plot to assassinate North Korean leader Kim Jong-un. The incident (which itself could have been the subject of a Hollywood satire) quickly escalated when the hackers threatened cinemas planning to show the film, leading to a tense diplomatic spat between the US and North Korea.
This might be the moment when cyber-attacks entered the public consciousness for the first time, but governments and companies around the world have been aware of the threat for many years and an entire industry has grown around defending against it. A recent survey by the Ponemon institute for Raytheon found that senior-level information technology and information technology security leaders believe their organisations are taking the right measures to defend themselves against potential threats.
Governments in the Gulf have not been slow to react either, with both the UAE and Qatar adopting cyber security policies. In June last year the UAE’s National Electronic Security Authority (NESA), the federal body set up to oversee the country’s cyberspace publication of a range of strategies, policies and standards to “align and direct national cyber-security efforts”.
“Cybersecurity is one of the biggest economic and national security challenges countries face in the 21st century,” said Jassem Bu Ataba Al Zaabi, director general of NESA said at the time. “The National Electronic Security Authority was established in line with this modern reality and as soon as the authority was in place, we immediately initiated a thorough review of federal efforts to defend and protect the nation’s ICT infrastructure.
“NESA is committed to ensuring that all UAE government bodies are made fully aware of the responsibility they now have to meet the requirements of these polices and, in turn, what this means in practice going forward.”
Who are they and what are they after?
Governments, web sites, and individuals are coming under attack from nation states, terrorist groups, organised crime, disgruntled current and former employees, and “script kiddies” – youngsters who are having fun trying out their new computer skills, explains Ernie Hayden, Executive Consultant, Securicon.
“In the past, the “script kiddies” were the common attackers. However, today the very well trained and funded organisations including nation states, terrorist groups and organised crime are tending to be the predominant attackers. The reasons for these attacks are many. However, the primary reasons are due to politics, ideology and money.”
BAE Systems Applied Intelligence is monitoring a number of cyber-attack groups who are currently threatening the energy and utilities companies in this region. Simon Goldsmith, the company’s Director of Cyber Security in the Middle East, defines three broad categories of threats: cyber-criminality, cyber-activism and cyber-espionage and sabotage.
Cyber-criminals are generally driven by financial gain. Most attacks are widespread and not targeted, however there are examples of sectors being targeted in intensive, highly organised campaigns, he says.
Article continued onn next page...
The energy and utilities sectors receive plenty of attention from activists, particularly on the topic of using fossil fuels, pollution, and pricing. Many activist groups are turning to cyber methods as it can enable more widespread publicity via the internet and doesn’t necessarily require having large numbers of people to make a high impact protest.
Within cyber-espionage and sabotage, motives are typically to gain a political or economic advantage. Impacts include theft of sensitive data and, increasingly, sabotage to disrupt systems or data thereby damaging capabilities for competitive or political reasons.
Protecting critical infrastructure
It goes without saying that industries of national importance, such as utilities, cater to critical public needs and must be protected at all costs. Cybercrime, which has the capability to wipe out sensitive and confidential data, costs the world economy billions of dollars for recuperation, investigation and disaster recovery procedures and revenue lost during data downtime.
“Comprehensive cyber security programs have never been more needed than they are today,” says Jay Abdallah, EMEA Cyber Security Manager, Schneider Electric. “In addition to the traditional hacker targets – large corporations and banks – the utilities sector is increasingly a focus. Hackers now target SCADA systems for weaknesses, seeking to exploit these industrial control systems and publishing related information online.”
Information technology experts are concerned with the amount of cyber-attacks on the energy companies operating in the Middle East, adds Abdallah. As dependence on power grows, so does vulnerability to new cyber threats.
Simon Goldsmith, BAE Systems Applied Intelligence, echoes those sentiments. “During the coming decade, the energy industry in the Middle East is expected to execute projects worth some $1 trillion across the energy value chain,” he says. “The Middle East is also one of the driest and most water-scarce regions of the world. There is an unusually high critical importance placed on a relatively small number of energy and utilities organisations and their infrastructure.
“In many countries a serious security incident that disables part of an industry has an effect on the economy but here in the Middle East a cyber-attack on the energy and utilities industry is undoubtedly a more acute risk to both the economic and physical well-being of a nation.”
The advent of smart metres and grids will bring immense benefits for utilities but the connectivity they require may also offer more opportunities for attackers to steal information or cause disruption to the system, Goldsmith adds.
What is being done?
The cyber security market is taking a more predictive approach to troubleshooting and eliminating cyber attackers, as opposed to a reactive approach, says Schneider’s Abdallah. The global cyber security market is anticipated to grow by over 50% from $95.6bn last year to $155.7bn by 2019, at a compound annual growth rate (CAGR) of 10.3% from 2014 to 2019- according to a study by Markets and Markets.
“Companies offering cyber-security solutions are also focusing on awareness and dialogue related to persistent cyber threats all industries or individuals are facing,” he says. “The frequent commissioning of reports and surveys by leading technology and security companies will also highlight best practices, risk mitigation strategies and tips to recover from an attack and strengthen future technology systems.
“In addition, governments and regulation authorities are working to develop cybersecurity standards across the board, containing metrics to evaluate efficiency and reliability of various systems and its components.”
The cybersecurity industry is responding as best they can by offering security assessments that are beyond the classic piece of anti-virus software, says Securicon’s Hayden. The assessments are looking at vulnerabilities in physical security, cyber security and security program execution.
What you need to do
Hayden suggests a basic four pronged approach to defending against cyber threats.
“First and foremost, accept the fact that you have already been breached by some sort of cyber-attack,” he says. “With this in mind you need to train your staff to be aware of email phishing attacks and other symptoms of cyber and physical security compromise. Secondly, set up and practice a cyber and physical incident response team and capability that not only isolates the attack but gets it out of the system quickly and effectively.
“Thirdly, be sure the company has an executive supporting cyber and physical security efforts. This executive is optimally the CEO and Board of Directors who then appoint and oversee a Chief Security Officer/Chief Information Security Officer to enact the tactical security program.
“Lastly, affiliate with quality and proven consultants and vendors who can assess your current security posture and make and prioritize recommendations for actions that need to be taken in the areas of people, process and technology.”
Companies must ramp up data management practices as a precautionary measure and be vigilant of gaps in technology standards with respect to the best in the market, adds Abdallah. Governmental and regulatory groups are implementing standards to protect the integrity of critical infrastructure. Companies must understand how these regulations apply to them, and take all necessary actions to avoid fines and protect their operations, he adds.
BAE’s Goldsmith says: “A modern security operation in a major utility should include threat intelligence to identify new attackers and their modus operandi, a strong set of policies and controls to lock down both the traditional IT and the industrial networks, an advanced analytics function to look for the tell-tale signs of more advanced attacks hitting the utility, and a 24/7 investigation and response group to quickly identify and counter threats.”
All of these issues will be discussed in depth at The Third ICS Cyber Security Energy Forum in Abu Dhabi from May 11-14. The event is being expanded to include utilities for the first time.