The energy sector provides and maintains the critical infrastructure that is essential for our daily lives. From heating and powering our homes and offices to fueling vehicles that permit us to travel across the globe, energy is a vital resource. But with an ever-increasing reliance upon technology within the energy sector, the risk of cyberattacks is also increasing. With this in mind, the energy industry needs to ensure steps are taken to boost its security. Particularly as the threat of nation-state attacks continues to rise.
What is a nation-state attack and why is the energy sector at risk?
A nation-state attack is a type of cyber attack that is carried out by a state-sponsored actor on another nation’s computer networks.
These attacks can be used to disrupt government operations, steal sensitive data, or even cause physical damage. Nation-state attacks are usually highly organized and sophisticated and can be difficult to detect and defend against due to their complexity.
With that in mind, it’s no surprise that a nation’s energy sector would become an attractive target for different types of threat actors, each with its own reasons and goals.
Nation-state actors are particularly interested in the energy sector for economic and geopolitical reasons; it is a vital infrastructure that could be used as a weapon against an adversary.
For example, a nation-state may target the energy grid of a rival country to cause a blackout, which could be used to weaken the adversary’s economy or its military capabilities.
Hacktivists may direct their attacks against the energy sector to publicly display their opposition to the industry’s activities for environmental or ideological reasons, and cybercriminals may be attracted to the energy sector purely for financial gain.
What are the primary methods of attack?
Threat actors use a variety of methods to attack the energy sector. One of the most common vectors used for initial access is phishing or spear-phishing.
Threat actors use a variety of lures to induce their victims to click on a link or download a file, for example, emails may be crafted around topics such as health care, job postings, holiday entitlements, or password policies.
If a user then clicks on a malicious link or downloads a malicious file, malware could then be injected into their system.
Another variation on this theme would be a phishing email asking the victim to confirm their identity by entering personal data; threat actors could then use this data to directly access corporate resources within the security context of the victim or to perform a password reset of the victim’s corporate account.
It’s also worth mentioning that the infrastructure utilized by companies within the energy sector is often complex, and geographically diverse, presenting a large attack surface area that can be difficult to secure. Their networks also often contain a mixture of both cyber and physical infrastructure such as SCADA (Supervisory Control and Data Acquisition) systems, which were not designed with internet connectivity in mind.
SCADA systems are a type of operational technology (OT) that can be used to control and monitor the physical processes, devices, and infrastructure involved in energy production and distribution.
These systems have often been upgraded to enable internet access or have had their interfaces exposed via the web in ways that were not initially expected when the system was initially deployed. As a result of this, these systems may lack the necessary security controls to protect against cyberattacks.
Stuxnet and Pipedream: a nation-state attack case study
Stuxnet was a malicious computer worm that was first identified in 2010 and was considered to be one of the most sophisticated pieces of malware ever created.
Stuxnet was developed using several advanced techniques and was able to spread rapidly through networks and was not detected by traditional antivirus software.
It is widely believed that Stuxnet was designed by a nation-state to disrupt Iran’s nuclear program, designed to target industrial control systems (ICS), more specifically the centrifuges used to enrich uranium in nuclear facilities in Iran.
The Stuxnet worm was able to attack these systems causing physical damage to the centrifuges themselves.
This attack first targeted companies that were involved in some way with the industrial control systems used within the Natanz nuclear facility in Iran. These companies were chosen as they had physical access to the Natanz facility as the industrial control systems held within were air-gapped.
The Stuxnet worm typically spread via infected USB flash drives which was the initial vector employed to infect employees of the third-party companies. The Stuxnet worm then infected the industrial control systems within the Natanz nuclear facility when the third-party contractors physically visited the site.
Stuxnet has been described as a game-changer in the world of cyber warfare. It demonstrated the potential for cyberattacks to cause physical damage to critical infrastructure and raised concerns about the vulnerability of industrial control systems. The discovery of Stuxnet led to increased attention and investment in cybersecurity for critical infrastructure around the world.
Since Stuxnet, cyber threat actors began to focus more on malware designed to target industrial control systems (ICS). In 2021, a modular ICS-specific malware known as Pipedream was identified. Pipedream is multi-stage malware that is designed to infiltrate a system, gain persistence, and then execute commands on behalf of the threat actor.
The initial vector for distributing Pipedream was via phishing emails that contained a malicious attachment, which if opened by the victim would download additional components and establish a persistent connection to the threat actor’s command and control infrastructure, granting the threat actor the ability to remotely control the infected system and execute commands.
How leaders in the energy sector can shore up their defenses
With threat actors now actively developing tools that specifically target infrastructure such as industrial control systems the requirement for organizations within the energy sector to invest in cybersecurity to ensure that they are equipped with the necessary tools, skills, and expertise to identify and protect against cyberattacks is critical.
Key areas for the industry to focus on include:
- Security awareness training – Training and educating employees about common attack vectors used by threat actors, such as phishing/spear phishing, along with cybersecurity best practices, comprising technical and process-based controls, why they are necessary, and how they can help to mitigate against cyber threats.
- Strong access controls – Implementing strong access controls, such as multi-factor authentication (MFA) and privileged access management, can help prevent unauthorized access to critical systems.
- Regular security assessments – Performing regular vulnerability scanning, penetration testing, and cyberattack simulations can help to identify weaknesses and gaps in the security infrastructure and process-based controls and facilitate remediation.
- Business continuity and incident response planning – Developing, implementing, and regularly testing a business continuity and incident response plan can enable a faster recovery time and help to minimize the impact and damage caused by a cyberattack.
- Security monitoring and alerting – Implement and maintain a security monitoring and alerting solution configured to alert upon activities and events falling outside of a known baseline.
To conclude, the energy sector is at risk of cyberattacks from a variety of different threat actors, each with its own motivations and methods.
The consequences of a successful cyberattack could have severe fallout for the industry and the wider economy.
The energy sector needs to invest in cybersecurity to educate employees, increase technical security controls, and become better prepared to both protect against and recover from cyberattacks.