Managing and Mitigating Cyber Attacks in the UK Energy Sector

Energy remains a vital sector in the UK, providing energy supplies to local markets, as well exporting internationally. However, in recent years, the Energy Sector has become the UK’s top target for cyber attacks, accounting for 24% of all UK cyber attacks in 2021. With increasing pressure on supply chain challenges and energy costs, it has never been more important for Energy companies to focus on cybersecurity risk management. In this latest interview blog, Nimbus Blue’s Security Lead, Andy Turner, looks at why the energy sector has seen a rise in cyber attacks in recent years and how companies can reduce their cybersecurity risk.

Q: According to a recent IBM report, the Energy sector saw 24% of all UK cyberattacks in 2021. Why do you think the Energy Sector has become the UK’s top target for cyberattacks in recent years?

A: “Energy, along with Manufacturing, are typically the most targeted industries for cyber attacks and this trend has continued in the latest reports looking at cybersecurity risks and incidents. Whilst any business or individual can become a target, Energy sector companies have several characteristics that make them more attractive for cyber criminals.

Operational Technology (OT) that is used within the Energy sector can be a prime target for state-sponsored groups aiming to disrupt supplies, or organised cyber gangs seeking financial gains. This was seen in the Stuxnet malware attacks back in 2010. These systems run the plants, and control the flow and production of energy, so if they are compromised the impact can be devastating. Quite often, these OT systems are installed and never patched, and if they have any connection to the internet, either directly or indirectly via a workstation, they can be vulnerable to attacks.

Another reason for the Energy sector being a top target is the exploitability of the companies. Data theft is a growing concern with Intellectual Property (IP) providing a potentially high return for cyber criminals who either sell stolen IP to competitors or hold data to ransom. Cyber criminals are targeting companies that are most likely to pay high sums of money to have their data returned or restored. These attacks can either be in the form of ransomware, which encrypts the data, blocking access until a ransom is paid, or data exfiltration, which is the removal of the data from the company network with the threat of it being sold on the dark web, unless the ransom is paid. Recently, these attacks have been seen working in tandem, with the original data being exfiltrated then encrypted, limiting the options of the targeted company.”

Q: What is the potential impact of a cyber attack for an organisation in the Energy sector?

A: “The potential impact of any cyber attack can only truly be understood by the company that is affected. What is the impact on your ability to do business if your systems or your operational equipment are down for a day, or a week, or if you no longer have control of your intellectual property, and there is a possibility of it being sold or distributed freely on the internet?

Regardless of your company size or industry, these are questions that all businesses should be asking itself, with a focus on the lasting operational, financial, and reputational impact on your business should you become a target of a cyber attack. For example:

  • What is the impact to our finances if we are down for one day, or for a week?
  • What is the impact to our reputation if we are down for one day, or for a week?
  • What is the impact to our customer/supplier relationships if we are down for one day, or for a week?
  • What is the impact if we no longer have our intellectual property, and it’s leaked on the internet?
  • If we are down for any length of time, do we have a robust, tested Business Continuity plan that will keep us going?

These are all business-critical scenarios, so proactive plans and solutions are essential to manage potential cybersecurity risks and mitigate any potential impacts.”

Q: Phishing was found to be the top infection method used against UK businesses in 2021, leading to 63% of incidents. How can an organisation reduce the risk of phishing attacks?

A: “There are several protection methods an organisation can use to reduce the risk and impact of phishing attacks.

The first line of defence against any malicious email is an email filter, which scans all inbound messages looking for threats. Email filters use a combination of techniques to decide if a message is safe for delivery, or not. This should stop most inbound threats before they reach the mailboxes of staff.

However, if a malicious email does reach the mailbox, then Endpoint Detection and Response (EDR) or DNS filtering software is the next protection method. Security applications such as these will act upon the system to block any access to malicious attachments or links contained within the email. Having these applications in place, along with a Security Operations Centre (SOC) or Security Information and Event Management (SIEM) service, can catch emerging threats before they spread and can alert to a wider issue by analysing data points from multiple endpoints and services.

All systems are fallible, and even the combination of a mail filter and multiple security products on the endpoint may occasionally let a phishing email slip through and a link or attachment may be clicked on. To minimise the impact of a phishing email, all accounts should be protected by Multi-Factor Authentication (MFA). This limits the damage caused if a bad actor manages to phish a staff member for their username and password and ensures that they are not granted access to the account, even with this information. Also, all staff should be using a non-administrator account for their day-to-day work, with no exceptions. This limits the actions that stolen credentials can be used for, either on the endpoint that the staff member is working from, or their access to a cloud-based system.

The final line of defence are the staff themselves. More than ever, Energy companies today need to stay security aware and ensure sufficient investment in the right places, and this includes your staff. By combining more secure systems and processes with user awareness training, staff will be empowered to make the right decision and spot a phishing email or system vulnerabilities; potentially mitigating a cyber attack that could have a lasting operational, financial, and reputational impact on your business.”

Q: For the Energy sector, Data theft and extortion were noted in 23% of cases for cyber attacks. How can Energy sector organisations reduce the risk of these types of attacks?

A: “Extortion can be carried out in several ways and is mostly associated with ransomware encrypting the company data. It can also be carried out by data theft and denial of service (DoS) attacks. Any of these events will put the affected company in a situation where they are either unable to carry out business as usual, or risk having their intellectual property sold or released on the internet.

To reduce the risk of any cyber attack, Energy sector organisations should first carry out an audit of their assets to understand what they have and to identify what is critical to the business. This should extend to intangible assets, such as company data, source code, and credentials, as well as their traditional IT hardware assets. This gives the organisation a greater understanding of the assets at risk and where the protection needs to be.

Following the guidance of the National Cyber Security Centre (NCSC) by achieving the Cyber Essentials certification can help to prevent around 80% of cyber-attacks. Achieving this certification ensures that a company has put the essential cyber security controls in place and is a great starting point on a cyber security journey.

Finally, phishing is still the top initial access vector and can be identified as the entry point in just under 50% of all cyber attacks. Spear-phishing, which is targeting of specific employees or job roles, accounts for 62% of all phishing attacks so the staff must be able to spot the phish and the threat before they take an action that may lead to a larger security incident. You can help your staff to avoid becoming targets by offering them user awareness training that covers the current techniques bad actors use and is adaptive to the evolving cyber threat landscape.”

Q: What are the top 3 things an Energy sector organisation should do to identify and manage vulnerabilities in their security?

A: “Know your estate – do an inventory of all your assets, tangible and non-tangible, and produce documentation and diagrams that show server and network configurations, data flows, and all interconnections between your assets. Once inside a network, this is the first step that a bad actor will take to understand where the links are and how they can be exploited to get to the valuable stuff. This can also be useful if a security event takes place; helping you to identify where an attacker may have got to by knowing the links between your assets.

Scan, patch, isolate – carrying out regular vulnerability assessments or penetration testing can help identify vulnerabilities within the IT estate that a bad actor may use during a security incident. This should be carried out regardless of any patching cadence currently in place. A lot of patch management focuses on easy to patch, such as operating systems like Windows or macOS, but this should also include OT devices, firewall, switches, and any other device that is connected to the network. If there is a piece of hardware that cannot be patched, such as a piece of OT that still needs Windows XP to function, then it should be isolated from the network, and not have any connectivity to the internet.

Plan for the worst – things happen; equipment or software can be compromised, or a staff member may click a link or open an attachment in a malicious email. All organisations should have written and tested disaster recovery and business continuity plans, so in the event of an incident the response is timely, planned, and the impact to the business is minimal.

Understanding the estate and ensuring that vulnerabilities are resolved does play a part in reducing the potential impact of a cyber attack, but proper preparation and planning helps the organisation recover and continue to do business.”

Nimbus Blue works with a wide range of companies in Aberdeen and beyond, so whether you’re a small business owner or a larger organisation, our team of security experts have the skills and experience to understand your specific goals and challenges, and can help you to choose and implement the right security solutions for your business. Visit our cybersecurity services overview to find out more