The cyber threat
Every business is operating in one of the most challenging environments in our lifetime. Companies in the energy, mining and utilities industries are no different as they attempt to keep services up and running, while ensuring employees that often work on site can do so safely or remotely. However, as with any crisis, unfortunately there are those that seek to take advantage. Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm for malicious threat actors.
Accenture’s recent Cyber ThreatScape report identified some of the most important emerging trends that businesses across every industry must respond to, from attackers exploiting greater business connectivity to finding new ways to influence victims of ransomware attacks to pay. Notable for the energy, utilities and mining industries is the rapid pivot by cyber criminals to the business of ransomware.
Ransomware feeds new, profitable business models
Ransomware rapidly increased in popularity among threat actors over the course of 2020. Indeed, there have been a number of ransomware attacks targeting the energy sector, including a US water utility. One of the most important reasons for this is the success rate it’s delivering for hackers. In 2020, it was estimated that the ransoms paid rose by about 60 per cent, up to an average of $178,254. In addition, top ransomware demands have grown steadily, with the highest demands, as reported by CrowdStrike, rising to $12.5 million. This spike is due to threat actors finding new ways of influencing victims to pay, adopting a ‘name and shame’ approach, including leaking data to the press or even creating public websites detailing the information, to add pressure.
Another new trend emerging is malicious actors delaying disruptions, giving them time to determine how much ransom an organization can pay. In the first quarter of 2020 the volume of ransomware attacks increased, even though they had gained access to company networks months beforehand. This shows that threat actors are willing to take their time and wait for the moment they can maximize the financial reward, in this case a global pandemic. Other threat actors are now incorporating destructive capabilities in their arsenal, including LockerGoga and MegaCortex, as reported in the IBM X-Force Threat Intelligence report in 2020.
Some malicious groups, such as WIZARD SPIDER and INDRIK SPIDER, also seem to be adding advanced ransomware to their existing arsenal of banking trojans. The criminals behind WIZARD SPIDER appear to have developed their own ransomware, Ryuk, and are using their banking trojan TrickBot or Emotet to deploy it. So, not only are energy sector clients under threat from the usual bad actors, but there is also a significant risk of organised crime looking for pay-outs across new industries through their own ransomware or by renting it out on a profit-sharing basis.
Ominous implications for critical national infrastructure
For operators of critical national infrastructure in the energy sector, it is vital to know what damage could be done and how severe it could be. Not only is downtime a consideration, reputational damage can also be detrimental to trust.
Many companies feel the best way out of this type of scenario is to pay the ransom. However, in many cases paying the ransom does not guarantee disruption will be avoided – even in a targeted, financially-driven ransomware attack.
To add to the challenges, organizations operating critical national infrastructure are increasingly subject to cybersecurity regulations, including the Network and Information Security Directive (which mandates breach notification), privacy regulations such as General Data Protection and more.
Outfox cyber criminals with defense-in-depth
As operators of critical national infrastructure, companies in the energy and utilities industries should approach cyber security with a mindset that any one control can and probably will be compromised at some point. Even with strong perimeter controls through firewalls, intrusion prevention and similar measures, threat actors will likely leverage other methods, including social engineering via phishing, spear phishing or guessing/harvesting user credentials.
So how do businesses ensure they protect themselves?
The key focus must be on developing resilience. This means understanding your business assets and their importance, as well as knowing the threats and importantly how to mitigate their risks.
From a proactive perspective, building preventative controls is the first line of defense. This includes managing identity, access and privileged access, using two-factor authentication, securing endpoints, staying up to date on patching, hardening servers/applications and building-in security via DevSecOps and cloud security.
Businesses should also be continuously monitoring their active threats by integrating both public and private threat intelligence sources into security operations and focusing on security awareness with, for example, simulated phishing campaigns. Building strong detection capabilities via a security incident and event monitoring (SIEM) service is also crucial for continuous monitoring.
Should the worst happen, businesses must also ensure they’re ready to respond. This means preparing the right responses with crisis management, business continuity management and disaster recovery plans, backed by exercises to ensure the team and system is trained and capable. Many companies are investigating incident response retainers to be ready should a breach occur. Creating backups, including disconnected backups of critical services, is an important part of this. Remembering to test those backups and scan for malicious code before attempting a restore is essential.
It is important to note too that energy and utilities companies are not just under threat from an IT perspective. Operational technology environments are increasingly in the crosshairs of criminals, as downtime for these critical systems is expensive and may influence the victim’s decision on whether to pay. With organized threat actors increasingly using destructive capabilities, this has become an even higher priority. These attacks can have significant implications for human life and welfare. Companies must keep this in mind and check the National Cyber Security Centre’s ransomware guidance.
It is an extremely challenging time and with growing cyber threats, energy and utility companies cannot take their eye off the ball. If they do, threat actors will be quick to take advantage and wreak more havoc in an already tumultuous environment.
ACCENTURE UK
Kristian Alsing is a managing director and Resources security lead, Accenture UK and Ireland. Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialised skills across more than 40 industries, it offers Strategy and Consulting, Interactive, Technology and Operations services – all powered by the world’s largest network of Advanced Technology and Intelligent Operations centres. It’s 514,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries.
For further information please visit: www.accenture.com