As global unrest heats up, the Energy Sector has to maintain its cool. What is the energy sector? The oil, electric power grid, natural gas refineries, and pipelines are all part of the intricate web of the energy sector. To avoid a disaster they must wrestle with the ever-changing cyber security environment, protect themselves from internal and external threats in all of the energy sector infrastructures all while keeping up with energy demands. That’s a mammoth task! Both experts agree Energy Sector protection can be achieved if approached with precision. Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, Principal at Logical Management Systems, Corp. cover the many steps necessary in detection and protection against any and all threats.
Part 3 in the four-part series on Energy Sector Cyber Insecurity.
Lee Neubecker: I’m back again with Geary Sikich and we’re continuing our series discussing cyber global insecurity, as it relates to the energy sector. And in this segment, we’re going to talk more about things that can be done to help protect against these cyber threats.
Geary Sikich: So Lee, when we look at protection, I think there’s a three-level process and I think you can describe some of the things that have to go on in these three levels. Strategically, I put together a business plan for an organization and that organization sets goals and objectives, one would be to have cybersecurity. Now, how do I execute that, what are the things that, at the operational and tactical level, the things that really are going to prevent, what are those things, what are those things that are going to help me?
LN: Well, much like we were talking before about detecting compromises, having a solid inventory on what your digital assets are, what computer devices, what cell phones, if you know what your devices are and you have that information available, you’ll be able to spot when something goes wrong. So, part of protecting is doing the bean-counting work of inventorying your digital assets.
GS: So, it’s not just an audit process, it’s a much more of a detailed look at what those assets consist of?
LN: Yeah and once you know what your assets are, you can figure out, who are they assigned to? If someone leaves your organization, you should have accountability steps in place to retrieve those assets. You should also be inventorying the state of those assets, are they fully patched and up-to-date? If you’re not patching your devices, you’re at great risk of cyber compromise.
GS: So is identity, not only do I have to worry about being compromised from an external source but I also have the internal threat of a disgruntled employee, of someone leaving the company, not with any mal, you know, intent, no malicious intent, if you will but just not following up on what I should have done as they out-process.
LN: Exactly, password rotations, people have weak passwords, people become compromised, people reuse their passwords. As someone reused their password for one of your important infrastructure systems on a popular social media site and that site becomes compromised, guess what, those passwords get loaded up into software for hacking and they do what’s known as “credential-stuffing attack”, they loop through and they fire at every device they can using the username and password, the known username and password and that’s how a lot of people fall prey to attacks.
GS: So, in that context, should you store passwords via one of them, like Google Chrome or some of the other, Internet Explorer, those types of things, should you store passwords that way?
LN: I recommend against storing it in your browser. If you’re going to store them somewhere, I think a password management tool like LastPass, that has two-factor capabilities, two-factor authentication essentially means that you have to know your, it’s something you know, plus something you have or something you are and in the case of LastPass, you’re typically using either your cell phone with an app that has an authenticator, that’s something you have, plus your master password and that helps protect against someone intercepting your password and being able to log on.
GS: So, in essence, protection is not a simplified process, protection is something that we have to, sort of, dedicate ourselves to conscientiously and make sure that we continue to maintain an up-to-date awareness, in order to be able to fully protect ourselves.
LN: Exactly and that brings in your staff, you need to know that your staff are being educated about popular ways that companies become compromised like if a bunch of USB devices are dropped in the parking lot, they might say things like “payroll” or something on it, would your employees plug that into your computer, you know, are you testing for that? You know, there are things you can do, there are services out there where you can have your own organization spearfished by a white-hat hacker, that’s going to tell you who clicked and then you know who you need to educate.
GS: So, we’ve made two points thus far on protection. One is that it needs to be part of the business plan, it has to be audited. In terms of auditing, knowing what you have devices-wise. Second is that you have to have educated employees. Now, both of those aspects present somewhat of a business conundrum, if you will. Education doesn’t necessarily equate to dollars coming in but from a protection standpoint, I think the sales point would be that it prevents dollars going out and the better educated, the more aware so that we can look at the other aspects that we discussed, detecting and protecting being two.
LN: Unfortunately, if you run an organization today, you have a new job, which is to make sure that you’re cyber secure and it’s a serious threat that corporate boards are making their CEOs accountable for so you know and it’s multi-faceted, you got to train your employees, you got to nail what you have, you got to make sure what you have is up-to-date and patched and then you also need to make sure that you have some mechanism to monitor and record events so that you can tell if you become compromised so the protection really requires much more today than it used to, it’s, the number of ways that an organization can become compromised, can be via an employee’s cell phone that becomes compromised and then it launches an attack on your internal systems.
GS: So, in the, it’s kind of like the mindset, if you will, has to be changed, in terms of looking at management and their commitment to cybersecurity protection. In the days past, we looked at protection. “What can I do, put up a wall, what can I do, “I can physically protect my facilities and my operation.” Now, today, that becomes more of a challenge because we’re dependent more on things that are not necessarily in the realm of physical protection per se so we really have to be getting to rethink how we look at protection and then ensure that the process is continuous, not a one-time situation.
LN: Exactly and certainly, you know, a DR, known as disaster-recovery planning and contingency planning can go a long way, you know, a simple act of making an offline backup on a periodic basis and you know, maybe that’s only once a month for some organizations but at least, if you have something offline, if you get hit by a Cryptolocker attack, the risk comes down to “well, what does it cost “for us to rebuild the last month?” Or maybe it’s the last week or maybe it’s last night so thinking through, I think going through the disaster-recovery planning exercise is a really good way to help protect your organization.
GS: Okay, I agree with you on the planning aspect. The caution I would say with that is that all too often, organizations develop disaster-recovery, business continuity, other types of plans to deal with emergencies, the response. The challenge is that those plans need to be kept, as you did say, with the cyber up-to-date and consistently reviewed, we have to have it in the mental work.
LN: And that’s where having someone like you and myself come into audit the business risk and actually inspect to see is the plan being followed, is the C-suite having a false sense of security because there’s this plan that was produced years ago, that no one’s really looked into, you know, it doesn’t take but you know, I think, you and I onsite for one day, we could help poke holes and give a report of, is an organization following their plan or does it look like everything’s far off but you’re not going to get that reporting from your own people internally.
GS: Yeah, I think it’s a challenge for people internally because there’s a vested interest, number one. Number two, they think that, in a lot of respects, they’ve done what needs to get done. The other aspect and I think this is important from what you pointed out, is that when you begin to look at today’s plans, you have to realize, they’re kind of reactive, in many respects, they’re not very proactive so they react to an event happening. That’s good because that helps companies become more resilient but it doesn’t keep them from protecting themselves as they need to.
LN: Exactly but there’s also a financial component to these plans, you know, it’s not uncommon that IT, they’ll go through this exercise and then afterwards, they’ll say “well, I need this subscription, this software, “I need this vendor” and none of that funding comes through but it’s much better and that sometimes gets lost in the minutiae from planning to execution and if that, in fact, is happening, you’ll want to know about it before you need the DR and it’s not there.
LN: So, I think that wraps up our section on protection. In our next segment, we’ll be talking a little bit more about responding to the crisis of a cyber breach, as it relates to the energy sector.