Alert Logic’s State of Cloud Security Bulletin, based on a six-month study period of customer data, examines the rise of cyber-attacks targeting the energy sector – an industry thought to be particularly at risk due to the highly confidential and proprietary information it possess, as well as the prevalence of bring-your-own device (BYOD) and contractor access.
Based on data from the US Department of Homeland Security’s (DHS) Industrial Control System-Cyber Emergency Response Team (ICS-CERT), 41% of malware attacks reported last year were made on the systems of energy companies, like grid operators and natural gas pipeline companies. Although the overall number of incidents reported was relatively small – 198 – the proportion aimed at energy was not. The sector receiving the next highest number of threats (internet-facing industrial systems) experienced only 11% of them.
“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director of security research with Alert Logic, in a statement. “Daily survival of the population and businesses alike depend on the availability of energy resources, making energy companies a prime target for hackers.”
In its own analysis, Alert Logic found that between January 1 and May 23, 2013, there were 8,840 incidents among its energy sector customers. When compared to Alert Logic’s overall customer set, the energy sector is at an elevated risk of brute force and malware/botnet attacks in particular. A majority (67%) of energy companies said that they experienced brute force attacks, versus 34% of entire customer set.
Attackers look for opportunistic points of vulnerability in networks housing confidential business information and breaches of geophysical data, in particular, are intended to damage or destroy the data used in energy resource exploration. Brute force attacks are also used to steal a company’s intellectual property for the purpose of industrial espionage.
Meanwhile, 61% of energy companies experienced malware/botnet infiltration attacks, versus 13% of entire customer set. These attacks seek access to physical infrastructure systems that control pipelines and other key energy plant operations – an issue that’s particularly piquant in energy where technologies such as SCADA systems are vulnerable to hacking, and the emerging business practices of BYOD (bring your own device) and BYOA (bring your own applications) in the workplace can be damaging carriers of viruses and other malware.
“Unlike an attack on an e-commerce site or SaaS application provider, a malware infiltration attack on an energy company could grow to catastrophic proportions if hackers were able to block or flood the oil and gas pipeline infrastructure,” Coty said. “This industry doesn’t see the typical web application attacks. It experiences a greater magnitude of security threats that could have global repercussions for years to come.”
The report observed that the first half of the year saw some notable incidents. In early 2013, hackers breached the US Department of Energy, compromising 14 servers and 20 workstations, and making off with the personal identification of several hundred employees and contractors. Also in 2013, JEA, a major Florida utility, was the victim of a distributed denial-of -service (DDoS) attack that shut down its online and telephone payment systems.
In May 2013, it was reported that hackers backed by Iran have been mounting an increasing number of cyber-attacks on energy companies, and had successfully accessed the control-system software that could enable them to sabotage oil and gas pipelines. And earlier in that month, two congressmen released a report on a survey of 150 power companies. The survey revealed that “more than a dozen utilities reported ‘daily,’ ‘constant’ or ‘frequent’ attempted cyber-attacks.”
Alert Logic said that for attackers, energy offers an attractive risk-reward profile. “It is precisely the value of energy-related information that makes it such an attractive target,” the report said. “The attractiveness is especially heightened when it comes to emerging technologies around fracking to extract natural gas and light tight oil from shale. While there are ample ‘business’ reasons for targeting energy companies, there are even more insidious reasons lurking. For entities (state or non-state actors) bent on conducting cyber-warfare, the opportunity to inflict catastrophic damage on a nation by attacking its energy infrastructure is highly enticing.”
To help companies meet the specific security challenges of the energy sector, recommendations include enhancing existing security strategies with multi-layer security practices, monitoring and defensive technologies to identify and stop cyber-attacks, as well as raising security awareness among employees.