Cybercriminals are constantly on the lookout for new targets they can exploit for information and financial gain. In the past, this brought on the rise of enterprise hacking and attacks on other industries. Recently, however, research shows these virtual criminals are increasingly putting the technological systems of a new sector in their crosshairs: utility providers.
Just imagine the harm that could come from hackers having control of a nation’s most basic services – electricity, water and other important resources being governed by unauthorized sources could spell disaster, not only for individual clients, but for an entire area. This new cyber security vector brings real danger with it, and research illustrates that attacks on physical infrastructure have increased recently and will only continue to rise in the near future.
Threat of utility attacks: A global issue
According to Forbes contributor Kate Vinton, critical infrastructure systems including the electrical grid and water disbursement are in need of some serious security overhauls to prevent the hacking threats currently impacting those sectors. What’s more is that attacks on such targets receive far less attention than a data breach of a company in the private sector, which downplays the very real possibility of cybercriminals taking control of essential resources.
“With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks,” Steve Durbin, Information Security Forum managing director, told Vinton. “They can now have physical impact in the real world.”
While the threat of such an attack is scary enough, Larry Ponemon, Ponemon Institute founder, noted that a worst case scenario situation could be realized if organizations in charge of maintaining critical infrastructure systems are not adequately ready to face such an infiltration. In fact, a recent report from the Ponemon Institute and Unisys shows that there is a considerable protection gap in this sector.
The report, which included nearly 600 respondents operating in the utility, oil and gas, energy and manufacturing industries in 13 countries, shows that the vast majority have already dealt with an attack. Overall, 67 percent of participants said that within the past year, they’ve had “at least one security compromise that led to the loss of confidential information or disruption to operations.” Furthermore, although the report revealed that more than half – 64 percent – of organizations want to work toward attack prevention or anticipation, only 28 percent noted that security is within the firm’s top five priorities.
Even more worrisome is the report’s findings in connection with employee negligence. A significant number of the attacks seen in this industry – a total of 47 percent – came due to negligence on the part of staff members. Despite these instances, a mere 6 percent of study respondents currently had training programs in place for their workers.
Vinton noted that a main finding of this report illustrates that attacks like this are not unique to certain countries – they are a global issue affecting firms in the U.S., the U.K., Brazil and other nations.
“Most of us are willing to take risks when it comes to security, only regretting it when we become the victims of an attack,” Vinton wrote. “The story of critical infrastructure security is part of a familiar narrative of the clash between old technology and new cyber threats, between government regulation and company motivation, and between cost and security – with security consequences unique to critical infrastructure.”
Critical infrastructure attacks in the U.S.: Threats to the energy sector
In the U.S. alone, there are 16 critical infrastructure sectors that all fall under the control of the National Cybersecurity Framework developed by the Obama administration in early 2014. According to Vinton, this was the administration’s answer to Obama’s executive order urging the “need to protect U.S. critical security.”
Despite these changes to governing policy, CNN reported that the energy sector – just one of the 16 subsets of America’s critical infrastructure – was attacked a total of 79 times in fiscal year 2014. Although this is a decrease from the 145 attacks that took place in 2013, it still illustrates the need for boosted protections to prevent such instances.
Overall, during the 12 months between April 2013 and 2014, nearly 40 percent of all energy companies were hacked. What’s more is that these attacks were carried out via a range of approaches. One security firm pinpointed almost 50 different malware samples specially designed for breaching energy firms, according to CNN. This makes the energy industry the most targeted sector when it comes to spy malware.
“Our grid is definitely vulnerable,” security expert David Kennedy told CNN. “The energy industry is pretty far behind most other industries when it comes to security best practices and maintaining systems.”
Just to illustrate the prolific nature of this issue, CNN reported that in November 2014, a security firm discovered that the software used by one major energy provider in the U.S. was infected with spy malware. Worse still, the infected program was used for the operation of turbines, controllers and other machines and the malware had been in place for an entire year. This is yet another case of employee negligence within the critical infrastructure industry – further investigation showed that the infection came as a result of a single worker clicking a malicious link and willingly – yet unknowingly – downloading the spyware.
The main problems: Outdated technology and undereducated staff
Although a lack of employee education is a main issue with threats to this sector, CNN revealed that many industrial systems in the U.S. are still operating on outdated technology – some of which dates back to the 1970s. In this way, the systems simply aren’t sophisticated enough to stand up to today’s hacking techniques.
Currently, the Department of Homeland Security alongside the Federal Bureau of Investigation are touring 12 main U.S. cities to communicate just how serious the threat to utility is.
Overall, better protection boils down to the need for updated technology and staff training. As the energy sector and other critical utility providers upgrade their systems, they must ensure that employees have the knowledge and ability to respond to threats and mitigate the damage of cybercriminal activities.