Planning for increased cyber risks to operational technologies

The adoption and evolution of technology has unlocked incredible value and created a bright future across the energy and utilities sector. However, there are storm clouds rolling in. Over the coming years, energy and utilities organizations should expect to see an increase in cyber attacks. Cyber criminals view the sector as a strong target because of lagging preparedness and their depth of customer data.

Research from intelligence agencies suggests cyber criminals are improving their capabilities to attack energy and utilities organizations, emphasizing the urgency of the situation.

Your organization could be at risk. The adoption of work-from-home tools has created new cyber security issues and some organizations have not assessed for new vulnerabilities because their attention is focused on navigating the pandemic.

Our team is here to help. In the following whitepaper, we’ll discuss the expected increase in cyber crime and how your organization can adapt to protect yourself, your technology, and your consumers.

The four key challenges

An expected rise in operational technology targeting and compromise

As political powers and organized crime groups start to fully realize the full potential for cyber attacks to impact operational technology, the rates of these incidents will increase. Traditionally, cyber attacks have been espionage-related, where the attacker’s goal is to secure research and close the competitive advantage.

It is now routine for attacks to directly compromise operations, resulting in operational failure and destruction. The TRISIS attack in 2017 had malware authors and attackers specifically targeting Schneider Electric’s Triconix safety instrumented system (SIS) — a failure of such may result in significant physical damages.

The Canadian government’s intelligence and security arm, Communications Security Establishment (CSE), is additionally advising increased threat levels as “cyber threat actors are almost certainly improving capabilities to exploit industrial control systems (ICS)” in their National Cyber Threat Assessment of 2020 and Cyber Threat Bulletin to Canada’s Electricity Sector.

The threat landscape for organizations supporting operational technology is also increasingly complex and deep. Attackers are pinpointing areas to compromise in the supply chain process of physical units and software technologies, resulting in potential compromises before the organization receives the unit or software. This provides attackers with a seamless foothold to the environment after it is implemented.

This increased targeting, capability, and threat complexity can be effectively handled by addressing risks and gaps and knowing the organization’s next moves before the attacker makes their play.

Ransomware increasingly capable of adversely affecting Operational Technology (OT)

Ransomware is a staple of an attacker’s weaponry against information technology-driven corporate environments. Their processes revolve around financial processes, customer and partner web services, and communications.

With increased attacker capability of compromising operational technology, alongside comes the increased risk of ransomware infecting these technologies.

Though controls are being implemented to prevent and mitigate ransomware occurrence, these controls are not matching the attacker’s capability, and organizations need to be more progressive in adapting new controls.

There has been foreshadowing of the widespread prevalence of operational technology being compromised, as recent ransomware variants “EKANS” and “MegaCortex” has been found to have Industrial Control System interruption modules built into them.

Reducing the susceptibility and impacts of ransomware on the corporate and operational technology environment means the organization must address the challenge of increased targeting and capability by improving threat-aware detection and environment redundancy and deployment approaches beyond traditional methods.

Effective incident response planning and practice

Business resiliency and contingency planning in the critical infrastructure space has addressed environment, organizational, and operational impacts very well. These types of risks are well known and have existed for a very long time.

However, cybersecurity impacts on systems through computers and the Internet is a relatively new risk for contingency planning; one that organizations have underprepared for or have not considered thoroughly.

Effective incident response planning is a program that thoroughly considers technologies, risks, threat landscape, staff structuring, vendor resources, physical locations, and the organization’s culture. A fundamental staple to this program is developing the policy, plans, playbooks, and procedures to support expected processes to the anticipated incidents, and then practicing them.

Energy and utilities organizations have an opportunity to improve their response planning and practice now, establishing a solid foundation from which they can build as threats adapt and evolve.

Enhancing data governance  

As the world becomes more digital, data is the new oil. For many organizations, collecting, using, and sharing personal data is an integral part of interactions with customers, employees, suppliers, and stakeholders.

At the same time, organizations are looking to leverage transactional data for secondary uses to develop new products to meet increasing customer needs, increase customer experience, or gain insight into the business operations to increase efficiency.

The consolidation of data into data lakes — a centralized repository for storing all structured and unstructured data — and use of new technologies such as data analytics and AI makes them more attractive to attackers. Given the continuing escalation of cyber-attacks and breaches, organizations are at growing risk of this data being compromised — and potentially suffering significant damage, financial, reputational and competitive.

Privacy legislation has also seen significant changes around the world lead by the European Union (GDPR), California (CCPA), and, most recently, Canada (PIPEDA). Customers are more aware of their privacy rights and demand that new products and services have privacy and security embedded in them.  Organizations operating in multiple jurisdictions have additional challenges in meeting their regulatory and legal obligations and could face significant fines in case of a compromise.

To ensure that customer privacy is preserved, and data is used in a responsible and ethical way, organizations need to enhance their approach to data governance. They need to develop a good understanding of its data and assign ownership, data, and system inventory, regulatory, and legal obligations to develop processes and practices to support decision making and consistent implementation when developing new products or extracting value and insight from the data. Having an effective privacy program management in place will allow organization to understand and manage privacy risks.

How to adapt and overcome

Understanding and acknowledging organizational cyber risks is the first step to improvement. Where organizations tend to run into issues is developing a plan and executing it. Some organizations don’t know where to start. Others lack the internal skillset to take on the task.

MNP’s team can help. Here’s how.

Asset discovery

We determine the assets your organization is using so you can properly secure the environment and build effective plans for incident management, vulnerability and patch management, and build/hardening standards. Once assets have been identified, this can help to discover any rogue devices in the environment that could be used to breach the environment.

Red teaming and penetration testing

Red teaming is an exercise where your organization undergoes a simulated cyber attack to identify gaps in your organization’s security program. These tests ensure the developed plans are being implemented and verify that vulnerability and patch management and build/hardening standards are being followed in the environment. Results of the engagement are compared over time to ensure remediation actions are being implemented.

Ransomware readiness assessment

This solution provides methods to significantly reduce susceptibility and impacts of ransomware on both the IT and OT environments. We analyze how organizational controls and processes catch ransomware precursor and deployment indicators and highlight potential improved methods for handling ransomware if it were to occur.

Privacy and data use governance assessment and roadmap

We help organizations understand their legal and regulatory requirements based on their jurisdictions of operations. Once we understand the requirements, we work with you to develop data inventory and data flows, review current policies and practices, and develop a roadmap for building an effective privacy governance program. The penalties for non-compliance are stiff, and the rules can be complicated. Our team makes it easier to meet regulations and protect your organization.

Start building your cyber security system

The average breach detection time for most organization is six months. In that time, the consequences can be significant. You can’t afford to leave your organization vulnerable.

To learn how MNP’s Technology Solutions team can help your team, contact Adriana Gliga-Belavic, CISSP, CIPM, PCIP, Partner, Cyber Security and Privacy, at [email protected] or 647.480.8489.