Stronger Cyber Defense for Industrial and Energy Companies

Geopolitical risk has shifted governments’ focus to the cyber defense of their resources and energy supplies, but another threat to critical commodities is on the rise: breaching and ransom demands. In the last years, threat operators have expanded their attacks on industrial targets in the oil and gas, water, and mining sectors, intending to disrupt critical infrastructure, steal data, and demand large sums of money for its return. A couple of examples of high-profile cyberattacks include the 2021 ransomware attack that knocked down America’s Colonial Pipeline, which supplies fuel to much of the United States east coast, and, later that year, a data leak from oil giant Saudi Aramco, which was followed by a $50 million ransom demand. Additionally, the White House national security officials acknowledge Iranian threat operators’ cyberattacks on state water authorities, describing them as a call to action for utilities to strengthen their cybersecurity. International mining groups, including Australian iron ore miner Fortescue Metals, were increasingly targeted by cybercriminals. The industry’s Mining and Metals Information Sharing and Analysis Centre reported an average of two to three cybersecurity incidents per month, which doubled the rate reported last year.

Saudi Aramco’s data ransom demand wasn’t the first it had faced. In 2012, the oil company was a ransomware victim with 35,000 computers infected and daily operations disrupted. Saudi Aramco has since signed a cooperation agreement with Dragos, an operational technology company, to assist secure its critical infrastructure and assets. According to a chief information security officer at a national law firm, the Aramco cyber incidents demonstrate that cybersecurity is no longer a luxury, but a requirement for all companies. Aramco’s cyberattack, and the more recent data link, highlight the scale of the threat that global industries face. Cyberattacks against physical processes in the industrial sector can do more than just financial loss.

A global cybersecurity adviser from a cybersecurity software company stated that machinery damage, production stoppages, or risks to human safety. Integrating information technology and operational technology systems, in which IT systems manage virtual assets, including data and software, and the OT systems control physical environments, including water pipelines can increase cyber risks. The increased vulnerability has posed a significant challenge to industrial companies. Companies can reduce risks by isolating critical systems using network segmentation, which divides large computer networks into smaller ones and updates security procedures as frequently as possible. In addition to IT and OT vulnerabilities, industrial companies are urged to be aware of insider threats, which can involve both intentional and unintentional actions by employees or contractors with access to vital systems. Companies can identify insider threats by fostering a culture in which everyone knows how their colleagues operate.

Employees, on the other hand, can unintentionally contribute to the threat and make systems vulnerable to cyberattacks by introducing malware by accident or failing to follow security protocols. Providing cybersecurity training can help mitigate the risks. Ransomware attacks in which threat operators steal sensitive data and threaten to publish it online unless the victims pay the ransom, are the most common threat to large industrial companies from commercial threat operators. One head of industrial control systems within the cyber response team from a security company noted that every sixth ransomware attack disrupts product lines or deliveries. Ransomware attacks on large companies, product suppliers, and logistics companies can have severe economic and social consequences. The potential evolution of cyber threats into infrastructure attacks, like the Colonial Pipeline incident in 2021, is likely to amplify the repercussions. Employers can prevent ransomware attacks by training employees to recognize phishing emails with suspicious links and attachments, which are used to distribute the ransomware.

The interconnected nature of energy and industrial companies and the various technologies they utilize are increasing the attack surface and the number of potential unauthorized entry points. Video surveillance of communications systems, being part of the day-to-day operations, can face cyber risks on many fronts. Companies can strive to limit the risks by adopting digital protective measures, including firewalls, cyber probes, and event management systems, which allow them to collect and monitor data while moving across platforms. Investing in a security operations center (SOC), which consists of a team of internal or external cybersecurity professionals allows companies to detect and mitigate potential cyberattacks. One approach can involve analyzing active feeds, establishing rules, identifying exceptions, improving responses, and monitoring potential vulnerabilities. However, industrial companies’ OT systems are sometimes outdated and have specialized vulnerabilities that are difficult to detect or patch. This can make these companies an appealing target for nation-state actors, cybercriminals, and threat operators.

Severe industrial cyberattacks, including the Colonial Pipeline case, would increase over time unless companies take the necessary precautions to improve their cyber defense. Urgent change in mindset and strategy is still required throughout the industrial landscape. It’s recommended that companies address both physical and cyber vulnerabilities as part of a single unified plan to strengthen their cyber defense. Additionally, companies need to be vigilant of the latest threat landscape and regularly update their networks’ security infrastructure and cyber defense. At SpearTip, our tabletop exercises will help companies determine maturity in responding to a breach. We take real-world threats and apply them to their current exercises to ensure no single points of failure. With our security architecture review, we assess the overall risk of your security architecture by determining security maturity based on the effectiveness of current security controls and providing recommendations on how to comply with modern security frameworks. This assessment takes a more granular approach to aligning with the NIST framework. A roadmap of recommendations is provided to schedule checkpoints for you to address any gaps discovered. Our team deploys ShadowSpear into clients’ environments, then monitors and investigates potential Indicators of Compromise (IoCs) to uncover the presence of malicious threat actors.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.