Energy and utility corporations (E&Us) are a linchpin of our modern economy. They’re also fast becoming a favoured target for cyber criminals. A poor security posture has the potential to compromise billions of dollars in personal, payment, or proprietary information. And, with cyber terrorism and state sponsored attacks on the rise, there’s also growing concern malicious actors could destabilize large swaths of the national grid.
This makes continued investment in cyber maturity far more than a strategic imperative, but a perennial matter of national security. And its importance will only increase as Canada becomes more digitized, electrified, and dependent on robust, resilient, and reliable sources of power.
We have the pieces in place, now what?
MNP has been working with one of Canada’s largest E&Us for the past several years to help enhance and mature its cyber security posture. We previously collaborated on a Maturity Threat Assessment, which involved a comprehensive review of their entire business, competitive, governance, and technology landscape and helped to identify:
- Assets most at risk of an attack,
- Areas within their infrastructure where a breach was most likely to occur,
- Key gaps in their technical controls, policies, procedures, and training, and
- Optimal allocation of cyber security funding and oversight.
Our assessment helped the client understand key vulnerabilities in their technology systems, and where they would get the greatest return on their cyber security investments. Most importantly, it allowed the organization to target specific, cost-effective improvements. The result was greater peace of mind that their team, customers, and systems were all optimally (though not necessarily universally) protected from the attacks they were most likely to face.
Having put our recommendations in place, the client’s leadership approached us about a year later to find out whether their improved focus and enhanced controls were delivering the expected level of resilience. Rather than waiting for a breach to come to them, the client wanted MNP to penetration test their systems — which we call a Red Team Exercise or, in essence, a simulated cyber attack.
What follows is a step-by-step overview of our approach, which we try to keep as close to a real-world scenario as possible.
Step 1: Assess physical security and workplace habits
A single cursory site visit can reveal an astonishing amount about an E&U’s cyber posture. Even without sitting down at a computer monitor, our team was able to evaluate a wide range of security factors and gauge many of the client’s potential vulnerabilities, including:
Ease of access / quality of physical security: How easy is it to access common working areas and infrastructure? Are doors locked and functioning properly? Are employees consistently greeting, logging, and supervising guests or contractors while on premises? Do team members frequently share swipe passes / is tailgating a common practice?
Security education, training , and awareness (SETA): Do employees consistently lock workstations when away from their desks? Do employees consistently share or discuss sensitive information in common areas? Are sensitive information and / or systems visible to visitors in common areas?
Network security and access: Is guest wireless access adequately firewalled and/or segmented from sensitive networks? Are there adequate restrictions and multifactor authentication requirements to access sensitive wired / wireless networks? How forthcoming are employees with passwords? Are employees accessing or disseminating information on unsecured guest networks (e.g. smartphone, tablet, etc.)?
Step 2: Test existing controls to understand efficacy and resilience
Leveraging both the information gathered in step one and the common attack techniques used by cyber criminals, our team then attempted to penetration test (i.e. breach) the E&U’s information (IT) and operations technology (OT) systems. Some common areas we typically look to gain access include:
Known vulnerabilities / patches: Has the organization and its employees been vigilant in updating software and firmware to take advantage of the latest security features? These so-called zero-day vulnerabilities are a common point of access for many breaches.
Build / hardening standards: Has the organization taken adequate steps to configure firewalls, servers, switches, and routers in line with the most recent standards? Has it changed default passwords, adequately encrypted stored passwords, and adequately restricted access privileges? Are disused or outdated hardware and software still connected to the network?
Encryption standards: Does all information that flows in, out, and through the network meet industry encryption standards? Do any gaps and / or shortcuts in encryption allow malicious actors to harvest information or gain access to the network?
Social engineering: How effective are team members at identifying and reporting malicious emails? How many (if any) login credentials were harvested from a simulated phishing attack? Are current education and warning measures adequate to prevent a social engineering breach?
Step 3: Map potential spread and infrastructure vulnerabilities
The final step in our process always works on the assumption that we’ve managed to gain access to our client’s systems. Whether we did is less important than what happens next — because it can mean the difference between a near miss, and a potential catastrophe down the road.
It all comes down to one question: Is the client operating on the assumption that they can (and eventually will) be breached?
Properly segmented IT and OT systems are essential for slowing and ideally, preventing a breach from spreading to other high value systems. Keeping critical systems independent from one another helps to minimize the potential damage of any given cyber incident. It also buys critical hours to recognize the breach and trigger an incident response plan to contain the attack and ultimately recover the systems.
For example, if a team member inadvertently installed a ransomware program on a local business network, that same software should not be able to replicate into a nearby control room. If an attacker manages to access a single transformer station, they should not be able to also access every other transformer station on the grid. If one database becomes compromised, it should not provide a pipeline to every sensitive database across the organization.
It’s always better to know
The average breach takes more than six months to detect. Thankfully for our E&U client, we were able to complete our Red Team exercise, issue a comprehensive report on our findings, and offer a wide range of action items in a similar timeframe — and with none of the legal or reputational damage.
Like nearly every organization we work with, our specialists were able to spot and leverage several gaps to eventually succeed in our breach. However, thanks in large part to their significant recent investments, we were severely limited in what we could access and the amount of damage we were able to (theoretically) cause. Most importantly, the client was able to action our feedback to immediately patch the vulnerabilities we had exploited.
Consider how much data your organization collects, processes, shares, and stores on your network every day, in a week, in a year. Six months is a long time for a cyber incident to go undetected. Not to mention potentially hundreds of thousands of dollars in fines, and many years of regulatory hurdles to overcome thereafter. It’s always cheaper and easier to test your vulnerabilities and find out where you stand now.