In recent years the number of organizations that have been subject to malicious cyberattacks has been on the increase. Organizations as disparate as the Estonian government and the Japanese electronics giant Sony have all had to cope with what is rapidly becoming the inevitable cyberattack.
The high-profile nature of attacks such as these has raised awareness levels around the world. In February this year U.S. President Barack Obama made it clear that cyberterrorism and threats against the country’s energy suppliers were the biggest threats the country faced.
Unsurprisingly, there has recently been a surge in demand from companies across the energy sector for indemnity against such attacks. However, according to a recent report by Lloyd’s of London, many insurers are now refusing to cover U.K. energy companies because in their assessment, companies’ cyberdefenses are simply inadequate when compared to the threat that exists.
No substitute for security
The challenge laid down by the insurers to the energy companies is simple: Insurance is no substitute for security.
As one of the world’s leading defense contractors, Lockheed Martin faces the challenge of cybersecurity on a daily basis. As the developer of such iconic aircraft as the F-117 Nighthawk and the new F-35 Lightning II, the company is a high-profile target for cyberattackers of various types.
It has learned, and continues to learn, the hard way about what it takes to secure an operation from the advanced persistent threat that surrounds it today.
Consequently, it is able to offer in turn cybersecurity services to its customers in various markets, including the energy sector.
Each day Lockheed Martin monitors, investigates, learns and prevents attacks against its own global infrastructure. This has led to a different way of thinking when it comes to cyberattacks. It can recognize the steps that would-be attackers need to make before they can launch their assault, allowing it to mitigate an attack before it happens.
Turning the tables
Traditional approaches to cyberdefense start from the basic premise that to be successful, any attacker need only to breach the defenses once, while the defender needs to be successful every single time.
This mentality is ultimately defeatist in its outlook but, more importantly, it isn’t actually accurate. Turning the tables on the traditional thinking about cyberdefense, the Cyber Kill Chain, created by Lockheed Martin in 2009, offers an alternative approach.
The Cyber Kill Chain allows a cyberattack to be turned upside down by mapping an adversary attack into its component stages, beginning with research into their target (reconnaissance) through the development of an attack mechanism (weaponization) on to the sending of an email or link to a compromised website (delivery).
Lockheed Martin then considers how the malicious payload exploits a vulnerability on the target system (exploitation) through to installing the payload on the target system (installation) before assessing how that software is controlled (command and control) and finally looking at how the adversary is able to go either steal proprietary data or shut down equipment (actions on objectives).
The Cyber Kill Chain allows a shift in the balance of power from the attacker to the defender, moving from a position where as a defender companies are doomed to fail to one where they are able to put in place barriers across the various stages achieving defense in depth. As defenders they need only to be successful at any one of the stages to successfully stop an attack, while the attacker has to get it right through all seven stages.
Energy industry-specific virus
But cyberdefense isn’t simply an IT challenge; it also is a challenge for operation technology (OT).
The Stuxnet worm was discovered in 2010 after a number of investigations into OT malfunctions at a number of industrial plants and factories. Stuxnet was one of the first viruses designed to target those systems that are responsible for the control of industrial processes and operations. Where Stuxnet led, others followed. For example, the Shamoon virus set out to specifically target infrastructure in the energy industry, successfully striking at least one major organization in the sector. For obvious reasons companies were reluctant to acknowledge just who had been affected, but the situation was clear: A new era of cyberattacks was being entered.
As the operators of elements of critical national infrastructure, today’s energy companies find themselves on the front line of the cyber war. Whether state-sponsored cyber warfare, cyberterrorism or simply malicious or criminal behavior, the impact that compromising an energy company can have makes them a highly prized target.
Cultural divide
While IT-based security processes and systems will eventually direct day-to-day OT security operations, that is not about to happen in the short term. Energy companies must look to address their security not just from an IT perspective but also from the OT perspective. It is crucial that the cultural divide that has existed between OT and IT staff is bridged—and bridged quickly.
There are other ways energy companies can secure their infrastructure. This could be by using Palisade, a cybersecurity intelligence management product capable of integrating with existing corporate security environments to deliver wide visibility of IT assets and critical network infrastructure, or a cybersecurity managed service offering such as Advanced Threat Monitoring. This is where state-of-the-art hardware is combined with software, advanced sensors and process innovation with the expert tradecraft of analysts who identify and manage high-confidence threat indicators.
But strengthening IT and OT are just two sides of the triangle. Energy companies also must look to strengthen the greatest cybersecurity challenge—the human.
Lockheed Martin has seen first-hand that modifying employee behavior is a critical factor in preventing many compromises of computing assets. Its own response to this has been “The I Campaign.” Not only does it educate employees on risky behavior and individual responsibility, it is able to measure improvements and make adjustments throughout the program. It is certainly a plan that energy businesses could follow.
Looking to the future, it is clear that the energy industry will remain on the front line of the new cyber war. The number of attacks will increase, and the insurance industry is simply no longer willing to insure against the inevitability. The challenge, therefore, is to seek to protect against the attack before it occurs.
Recommended Reading
CEO: Coterra ‘Deeply Curious’ on M&A Amid E&P Consolidation Wave
2024-02-26 - Coterra Energy has yet to get in on the large-scale M&A wave sweeping across the Lower 48—but CEO Tom Jorden said Coterra is keeping an eye on acquisition opportunities.
Endeavor Integration Brings Capital Efficiency, Durability to Diamondback
2024-02-22 - The combined Diamondback-Endeavor deal is expected to realize $3 billion in synergies and have 12 years of sub-$40/bbl breakeven inventory.
Patterson-UTI Braces for Activity ‘Pause’ After E&P Consolidations
2024-02-19 - Patterson-UTI saw net income rebound from 2022 and CEO Andy Hendricks says the company is well positioned following a wave of E&P consolidations that may slow activity.
CEO: Magnolia Hunting Giddings Bolt-ons that ‘Pack a Punch’ in ‘24
2024-02-16 - Magnolia Oil & Gas plans to boost production volumes in the single digits this year, with the majority of the growth coming from the Giddings Field.
E&P Earnings Season Proves Up Stronger Efficiencies, Profits
2024-04-04 - The 2024 outlook for E&Ps largely surprises to the upside with conservative budgets and steady volumes.