The Department of Homeland Security and FBI recently issued a public warning stating that sophisticated threat actors have been targeting U.S. energy and other critical infrastructure entities since May 2017. The ongoing, multiphase campaign appears to use unwitting third parties to stage the attack, and then pivot to the intended critical infrastructure target. This campaign has reportedly infiltrated multiple critical infrastructure entities in the U.S. and around the world. While operational impacts resulting from this campaign have not been observed, potential impacts range from cyber espionage to the disruption of energy systems.
This attack is just the latest in a long string of high-profile security breaches that have rocked the energy community in recent years. The December 2015 sabotage of the Ukrainian power grid is considered the first known disruption of grid operations through cyber means. In 2016 alone, data breaches cost energy and utilities companies an estimated $7.35 million per incident. Furthermore, a number of industries in addition to the energy and utilities sector are vulnerable to cyber attacks. In 2016, Forbes listed the top five industries susceptible to cyber threats as healthcare, manufacturing, financial services, government and transportation. Needless to say, many of our critical infrastructure industries are being targeted.
As malicious actors evolve their capabilities to create progressively more disruptive cyber and physical security consequences, the need for effective security risk management programs is more important than ever.
Although it is impossible to eliminate risks, there are critical steps that energy companies can implement to mitigate the damage and liability caused by a security breach, such as leveraging a proven security risk management consulting methodology to drive effective security planning. This type of modular diagnostic planning enables companies to design and implement effective physical and cyber risk security programs through a continuous cycle of assessment, mitigation and monitoring.
1. Assessment: Effective security programs should begin with a comprehensive analysis of assets, facilities and processes that are critically important to the organization. Once identified, the next step is to assess the probability, or level of threat, likely to impact these crown jewels, by flagging the threat actors, motivations and vectors relevant to the business.
2. Mitigation: Next, build out an effective security program by validating the effectiveness of existing measures that address the gaps identified in the risk assessment. If needed, develop and institute new processes and procedures to alleviate any identified unresolved risks found in the assessment.
3. Monitoring: The evolving nature of risk requires security programs to be continuously monitored — via audits, penetration testing and special investigations — to ensure ongoing effectiveness.
In today’s high-risk landscape, too many enterprises equate compliance programs with effective security, resulting in investments and decisions that leave the enterprise vulnerable to attack and related liability. By focusing security on assets that matter most and programs that are risk-based, intuitive and trusted, companies will be better positioned to withstand the next security breach.
About the author: David London is a Senior Director at The Chertoff Group, where he focuses on cyber risk management, incident-response planning and cyber simulations. As a member of the security services practice area, London works with clients to assess, mitigate and monitor their enterprise’s most pressing cybersecurity risks. He also advises senior decision-makers on how to prioritize investments in both a security and business context. Prior to joining The Chertoff Group, London spent nine years at Booz Allen Hamilton designing and facilitating cybersecurity exercises for government and commercial clients. London received a Master of Business Administration from George Washington University and a Bachelor of Business Administration from Emory University. He is a Certified Information Systems Security Professional and Project Management Professional.