The energy and utility sectors face a unique set of cybersecurity challenges at a time when threats towards critical national infrastructure (CNI) are at a heightened level because of the Ukraine-Russia conflict.
In April, the National Cyber Security Centre (NCSC) sounded the alarm over “state-aligned” Russian groups which could launch destructive attacks targeting CNI.
Against this backdrop, Infosecurity spoke to Paul Kennedy, head of cyber advisory at QinetiQ, about how energy and utility organizations can take action, how to train for the worst-case scenario and how QinetiQ leans on its defense heritage to help secure CNI organizations.
The NCSC alert said that these state-aligned groups are typically focused on DDoS, web defacement and spreading misinformation, but may progress to “destructive and disruptive attacks” on CNI if they see the opportunity.
Speaking about the alert, Kennedy said that one of the key phrases to come out of it was “state-aligned,” indicating the NCSC’s caution when it comes to directly attributing threat actors to the Russian state.
However, he noted that in terms of “worry and concern” for organizations, there is some hype around these alerts.
“Companies need to work out where they are, where they want to be and how they're going to get there and do that in a planned and controlled and measured way,” he said. “If you’re in the energy and utilities market, that is where you want to be and if you’re not thinking about cybersecurity, that’s when you should be worried.”
A Distinctive Technology Base
CNI encompasses a wide range of businesses and activities, including transport, information technology, finance, state activities and telecommunications. The energy and utility sectors of CNI has its own unique technology base to consider when implementing a cybersecurity strategy.
“Whereas the financial services industry is based on IT…the energy and utilities are based on industrial control systems (ICS), including supervisory control and data acquisition (SCADA),” Kennedy explained. “Also, at the time when you build a big power plant, the lifespan is in the 10s of years. You might build equipment with a 30+ year lifespan, which means the controls have a similar lifespan. They are not necessarily connected using standard network connectivity either, they may be communicating over bespoke, or industry standard, ICS protocols.”
This technology landscape provides a different set of cybersecurity challenges and the first place to start for these organizations may not be with security tools, but instead with the network itself.
Kennedy said that having a good picture of your network architecture will be beneficial when securing it.
“If you've not got a good picture of your network architecture then you'll probably get more return on doing some network discovery than you will on putting a bunch of cybersecurity protections in place,” he said.
This also goes for network segmentation. If an organization has a very flat network, which a lot of ICS networks are, it would be beneficial to invest in segmentation to limit lateral movement.
Kennedy noted that it is important for these organizations to focus on what is important to the business. For CNI, this is ultimately about availability of the essential services they provide.
Within these unique sectors there is a communication consideration to be made between those in IT and cybersecurity and the engineers. Kennedy noted that this is something that needs to be addressed as silos are often apparent, but the best way to evaluate risk is to work together using the engineers’ specialized knowledge of the systems.
“If you've not got a good picture of your network architecture then you'll probably get more return on doing some network discovery than you will on putting a bunch of cybersecurity protections in place"
Finally, these sectors are not untouched by the cybersecurity skills gap crisis.
“The way to address that is young people, graduates and apprentices,” Kennedy highlighted. QinetiQ offers a diverse range of apprenticeships and traineeships to upskill both new graduates and those exploring a new career path.
Fail to Prepare, Prepare to Fail
Planning, training and testing are the key elements to a solid cybersecurity response and one that QinetiQ advocates for in the energy and utilities sectors. Kennedy explained that there are two testing environments, one at the board level and one at the technical level.
There is an entire spectrum of things you can do to test your response when it comes to a cybersecurity incident, Kennedy explained.
“It’s important to do testing because you don’t want to be caught out. Something will go wrong at some point and you need to be prepared for it,” he said.
First, at board level there are a number of elements that need to be tested – the communications, the recovery and how to continue operations.
When a breach occurs, it is important to know who is going to be standing on the steps of the company explaining the incident to the public.
Next, the technical response at board level must be tested to understand the operations that have been impacted and how to restore them. Additionally, you need to understand how to keep going while you are under attack if operations have not been impacted.
“Sitting down at board level is a really good thing to do, go through the plan and also ask what to do if your CTO is not available or your CEO is not available? What if they're stuck in traffic? Take members of your board out and see who can deputize for who,” Kennedy said.
Alongside the board exercises, it is important to have a full technical exercise in a representative environment.
“Here you will have a planned series of interventions, a series of activities that your response team and technical team can respond to,” Kennedy said.
QinetiQ leans heavily on its defense heritage and how it has contributed to military exercises. The company leverages the same principles in the cyber environment.
For the technical exercise, the activity could last several days and involve defenders, a red team that puts in planned injections and a control team watching the defenders as they are acting.
A part of the exercise that Kennedy was keen to highlight is the experts that are on hand to debrief once the mock attack has been concluded.
“Everybody's stressed to hell. They've been hammered for a couple of days and then everybody stops and everyone can calm down. Then the actual learning starts,” Kennedy said.
The debrief is core to QinetiQ’s cybersecurity consulting solution and Kennedy noted that this vital part of process can take up to three days.
This review also encompasses an important human element where QinetiQ can bring in psychologists to evaluate human performance, much like what would occur in a military scenario. This helps with training people to deal with stress in a cyber-attack situation.
QinetiQ values their apprenticeship scheme to enhance the skills base in the industry. Attracting young talent into the cyber industry is high on the list of priorities for all those involved in cyber resilience.
All of this is of course a lot of time and investment for any organization and Kennedy notes that it should be seen as training, which unfortunately is often the first target when it comes to budget restraints.
In terms of frequency, there is no gold standard as to when these exercises should be carried out, but Kennedy recommends that the more critical your system, the more often you should plan exercises against it.