Brad Bauch, PwC, USA
Contrary to popular opinion, cybercrime is a risk to all industries and not just among companies dealing with payment cards or personal customer information. As utilities and power and energy companies increase their use of innovative technologies such as the Smart Grid, advanced metering infrastructure, and modern control systems, cyber threats and their associated risks grow. So says a recent report from PwC.
Recent reports confirm that cyber attacks on several multinational energy companies resulted in security breaches long before the victims became aware that their systems had been compromised. In each case, it was a situation of not knowing until it was too late. Energy companies are targets because they possess valuable, proprietary data on reserves and discoveries, including intellectual property on how to access resources and financial information about related transactions. According to published reports, state-sponsored foreign attackers have used highly sophisticated methods to compromise these types of targets.
Professionals who support cybercrime investigations have noted that, as well as energy companies, utilities and power generation companies share a concern that direct cyber attacks have the potential to disrupt or damage their business and critical IT.
Critical infrastructures, including those of the utility and power generation industries, are of keen interest to various adversaries. In light of the fact that Smart Grid systems collect valuable data about utilities and power customers, legacy privacy and security issues take on a new and perplexing dimension. Computerized smart meters are typically connected to large networks needing protection with a rigorous suite of security protocols against malware infiltration, physical tampering or data snooping. A security breach could result in unauthorized access to energy usage data or the corruption of smart meter settings, with the goal of disrupting power delivery to a single customer, neighborhood or an entire city.
To protect themselves and their customers, energy, utilities and power companies must adopt a fresh and modern cyber security philosophy – one accepting of the ongoing state of cybercrime and committed to appropriate levels of preparation and incident response capability.
Today’s cyber threat landscape
Why does a typical in-house cyber security programme (people, processes, and technology) fail to detect the advanced threats that can lie in wait for months or years before executing their final stages of attack? The short answer is that most security programmes are not organized to fully take such threats into account. They are mainly focused on threats that generate detectible and recognizable patterns, looking for signs of malicious intent.
Today’s cyber criminals are keenly aware of the typical defensive measures taken by most companies. Cybercrimes are committed by a multitude of offenders with diverse motives:
- Trusted insiders, who use their authorized access to enable a security breach
- Competitors seeking advantage
- Foreign governments committing espionage for military, political or economic gain
- Transnational criminal enterprises stealing/extorting to generate income
Today’s advanced criminal techniques present a bigger challenge than monitoring for malicious code patterns or changes to system configurations with intrusion detection technology. The technical and intelligence capabilities of potential adversaries increase daily. Evidence shows that preventive and detective measures can effectively reduce risks pertaining to acceptable use policy violations and some types of computer and network intrusions, data loss/leakage, and asset sabotage. However, adversaries that target specific companies and industries are keenly aware of these limitations and have developed sophisticated methods to exploit both human and technological weaknesses.
Many of these adversaries operate among highly organized, global groups and underground networks. They are often categorized as ‘transnational criminal enterprises’ with a pure profit motive, and are patient, persistent, and extremely determined.
The intelligence services of foreign governments are the most sophisticated, organized, and well-funded. These entities steal commercial intellectual property and business transaction data to gain an economic advantage and abscond with classified government information to gain military or political advantage.
Establishing and maintaining unauthorized remote access for as long as possible is a primary objective of state-sponsored groups in order to execute future malicious actions.
A Historical perspective
Many of the security technology investments made over the past decade can help combat cybercrime, but only if companies have the right technical knowledge and experience to use them. A cursory review of recent cyber security history illustrates the need to tighten security by increasing the awareness, use and capabilities of technological security applications.
Utilities and power and energy companies need people with experience investigating advanced cyber intrusions that can also employ the right technology to enable advanced warnings of security breaches. This experience should address threats against Smart Grid components and networks, industrial and process control systems infrastructure, nuclear facilities, and also take highly sophisticated attacks like the Stuxnet malware into account.
Figure 1 outlines the evolution of technology and threat response capability during the previous decade.
|Figure 1: Evolution of cybercrime, 2000-2010|
Recognizing breach indicators
Cyber security breaches characterized by undetected intrusions may include the following types of event indicators.
- Unauthorized web pages posted on an Internet-facing web server
- Outbound data transmissions using unknown, unauthorized or unlikely protocols or ports
- Outbound transmission of large and compressed files
- Unusual connections between user systems using native operating system networking features
- Log entries on domain controllers indicating the execution of unauthorized programmes
Based on real-world cases at organizations experiencing a cyber intrusion, indicators such as these were typically available for days, months, or in some cases, even years.
To best protect your own company, you must become familiar with these and other types of breach indicators. Your company should be able to determine whether systems either have been or are actively being compromised through methods such as network or media-based data ex-filtration or e-mail.
Post-event cybercrime investigations can help improve operational cyber security posture and reduce related organizational risks. When clients engage PwC to apply the mindset of the cyber criminal and use its cybercrime investigation methods, on average, three to five per cent of a client’s computer systems are compromised. Recognizing the importance of clients’ business operations and that of their partners, PwC recommends they adopt a mature and innovative response capability that reflects the continuous threat of compromise. As security issues are identified and resolved during an investigation, an independent and objective security assessment should be conducted to confirm successful remediation.
After an incident is contained and security remediation has begun, a formal review of the incident response effort should be conducted to assess the team’s performance. Results of this review can be used to strengthen training and improve responses.
Cyber Security Programmes
Mature cyber security programmes are typically marked by complementary elements, including security management, operations and architecture; regular testing for compliance with regulations; established policies and procedures; privacy; education and awareness; identity and access management; threat and vulnerability management; physical security; and incident response.
In addition to virus detection, intrusion detection, and prevention technologies, application ‘white listing’ should be implemented on critical computer systems. White listing provides a mechanism such that only software known to be safe is allowed to run on systems – all others are blocked by default. This is an effective way to prevent the introduction of new viruses and malware.
Regardless of an organization’s perception of the strength of its control environments, it should consider performing tailored forensic analysis procedures on the network and key servers to determine whether there is evidence that a breach has occurred. This process is more difficult to accomplish because of the nature of today’s advanced threats. The signatures that companies would be looking for are not in the public domain, and the attacks are often company-specific, so commercial software such as virus protection or intrusion detection systems will not identify these programmes or the existence of a breach.
Companies will need to team with a service provider that has in-depth experience responding to such threats. The network traffic analysis is relatively non-intrusive; however, assessing a system may require a full forensic image of the server. Due to the real-time and always-available nature of these systems, acquiring these images requires careful coordination and a skilled project team.
Even mature cyber security programmes can benefit from a fresh cyber security perspective to improve the security of data and the IT infrastructures that contain it. This includes the recognition that there are no technological ‘silver bullets’. Rather, the approach assumes an active and perpetual state of compromise, seizes all opportunities to gather cyber threat intelligence, transforms the IT environment into a treasure trove of digital evidence, assesses the state of security of its interconnected vendors, recognizes the authorized insider as a cyber threat, has a forensic incident response capability and understands and overlays business operations needs. Figure 2 outlines key characteristics of legacy and innovative cyber security programmes.
|Figure 2: Key characteristics of legacy and innovative cyber security programmes|
Companies wanting to better protect themselves and their stakeholders from advanced cyber threats need to adopt a new cyber security philosophy that acknowledges the realities of cybercrime and features the flexibility needed to meet changing security demands for years to come.
. For more information on the PwC report contact Brad Bauch, Energy and Utilities and Power Generation principal (firstname.lastname@example.org).
The Stuxnet incident
Stuxnet is widely believed to be the first ‘weaponized’ malware specifically designed to exploit vulnerabilities in and sabotage industrial control systems. It targeted a specific control system vendor’s product line — with disruption of Iran’s uranium enrichment infrastructure likely its key goal.
While the relative impact to control systems worldwide was minimal, the broader implications of Stuxnet indicate that our enormous critical infrastructure control systems base is at greater risk than previously believed.