Though the malware and techniques of cyber threats constantly change,
reasons for intrusions remain fairly static. Understanding the reason
for the threat allows us to make near-future predictions about the
relative dangers presented to the energy sector ICS environment. Should
we worry? On what should we focus? Knowing why the threat
exists helps us to identify the high value items most likely to be
targeted by different categories of cyber intruders.
The total
number of intrusions against the energy sector has increased yearly
since 2012, accounting for 46 intrusions reported to DHS in 2015. By
categorizing the motivation behind (known and reported) intrusions we
can begin to understand who might become a target and how to defend
ourselves.
If enterprises want to understand how they can better invest in security defenses, build the necessary Read Now
Intrusions fit into four general classes, in order of frequency:
Cyber Crime
Hacktivism
Cyber Espionage
Cyber Warfare
There are two significant impediments in analyzing private
sector cyber threats. One is that many cyber threats are never detected.
The other is that most organizations won’t self-report unless a
compelling reason exists. The willingness of organizations to share
cybersecurity data is slowly increasing thanks to the Information
Sharing and Analysis Centers (ISACs) and recent legislation.
Cyber crime
Ransomware is designed to deny
access to the data on a target computer until a ransom is paid; by far
the most pervasive and expensive 2015-into-2016 cyber-crime threat.
The
healthcare sector was the biggest target. Among buyers and sellers of
illicitly gained personal data a healthcare record is worth roughly 16
times more than a credit record. The energy sector did not report any incidents of ransomware infection. Yet.
Risk transfer, through purchase of insurance, is one mitigation
option. If you are a multi-billion dollar business and the ransomware is
a mere annoyance (a few hundred dollars), it may be reasonable to pay
the ransom in conjunction with other mitigation and use the experience
as a learning opportunity.
Hacktivism
Hacktivist
attacks involve threat actors motivated by ideology in an effort to
maximize disruption and embarrassment to their specifically targeted
victims. They operate on a mob mentality with the aim of righting real
or imagined social wrongs. The energy sector so far has largely been
spared by hacktivists.
Once
having penetrated, defaced, or damaged their opponents and exfiltrated
any data, the hacktivist normally seeks some kind of recognition,
especially media coverage. The public acknowledgement of the
hacktivist’s skills in itself is often enough to mitigate the attack.
Establishing a block list that will reject bogus IPs will help to
repel hacktivist DDoS attacks. Avoid issuing malicious tweets or
commentary on social networks to deny hacktivists an issue. A
well-designed and exercised media response plan can negate a
hacktivist’s public support.
Cyber espionage
Cyber espionage
is the use of computer networks to gain illicit access to confidential
information. Cyber espionage is normally the domain of the nation-state
and is designed not to disrupt operations. These attacks
normally go unnoticed for long periods of time. APTs have resided within
computer networks and accessed information at will for years.
Cyber
espionage has two primary motivations. One is to collect data for
economic espionage. The other is to develop human targets through stolen
employee data. A system administrator may have financial problems
indicated in credit reports. The nation-state can offer the system
administrator payment in exchange for access to corporate networks. This
facet of cyber espionage is an external driver that creates an insider threat.
Segmenting
administrative and operational networks and creating least-privilege
user accounts, are effective countermeasures. Establishment of an
internal reporting system for employees to report suspicious, foreign,
or “just strange” contacts is helpful to defeat the insider threat
development cycle, as is monitoring user behavior.
Cyber attack
Cyber attack
is the rarest form of cybersecurity risk. Cyber attack meets a
threshold that justifies military action on the part of the victim’s
nation. These normally would involve widespread degradation, disruption,
denial or destruction of critical infrastructure. Though most
intrusions are colloquially referred to as “attacks,” an actual cyber
attack is an act of war.
Good cyber hygiene and adherence to DHS
guidelines and NIST frameworks are the best places to start building a
wall against cyber attack.
What does it all mean?
Having
categorized the threat actors and their motivations, we can look at
those threats in light of both the real and the cyber environments and
begin to make some predictions about what 2016 will bring us. In Part 2
of Defining the Threats of 2016 I’ll make some audacious
predictions about what this year will bring in the way of threats to
Energy Sector ICS and perhaps point towards areas where our cyber
dollars will potentially give us the most bang for our buck.
