Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
2021 is undoubtedly ‘the year of ransomware’. The Colonial Pipeline attack in May, highlighted the scale of the cyber risk for utilities and infrastructure industries more generally. All it took was a single password breach for criminals to demand, and receive, a US$4m ransom. Although the ransom might sound costly, the wider damage to revenue and reputation caused to a giant like Colonial Pipeline will ultimately be much higher. Even more recently, the Kaseya case highlighted the exposure that businesses can have through their supply chains and service providers. One recent report was that the Kaseya attack itself, had infected over one million endpoints with a ransom set at $70m.
Colonial Pipeline Co was fortunate in having a potential ‘quick fix’ option: to pay the ransom. That situation might soon change, if laws banning the payment of ransoms start to be passed in various countries. In Australia, there have been calls for mandatory notifications of ransomware attacks; and in the US, the SEC and OFAC are looking at banning ransom payments altogether. Interestingly, this may not mean much change for some. In a number of cases already, despite ransoms being paid, the decryption process has been so slow that companies have had to rely on backups and their own safeguards on order to return to BAU.
Cyber insurance helps businesses manage two of their biggest risks – getting back up and running quickly and reducing disruption. Insurers, however, are increasingly demanding evidence of operational security controls and even co-insurance of cyber risk for some, where these are less apparent. Everything points to the likelihood that premiums will increase even further for organisations that are less well defended. So getting your cyber risk management capabilities in place may be more important than you think. You may need them to get insurance and you most certainly will if you can’t!
The energy, oil and gas sectors face some specific challenges. They have extensive and often remote networks to defend; IT assets at drilling platforms or production facilities, often interconnected by both public and private infrastructure, back to HQ. Inevitably cyber security efforts are less rigorous at some of these remote sites and so security controls like multi-factor authentication are a particularly important defence for remote IT facilities.
Any relaxation of security at remote facilities is inevitably seen by an attacker as an opportunity to access assets which would otherwise be protected more rigorously back in HQ. As with environmental and other risks in the energy, oil and gas sectors, letting your guard down at a remote site can present a weak link in your risk management defences, and as a result, a costly breach to clean up and make good.
The sheer number and variety of security devices and systems in use can also pose challenges as they provide an almost endless number of points through which an attacker can access and then encrypt, even one part of the system, to render it useless. Colonial’s weak link was its billing system, rather than the technology that controlled the pipeline; but the interconnectivity of the systems meant that the pipeline network itself had to be isolated to limit the damage.
In our changing world, if paying ransoms is outlawed or too costly, and insurance becomes less of an option, the energy, oil and gas industry will need to improve its cyber risk management capabilities.
Anti-virus software and network defences, alongside the rise of endpoint detection and response, can certainly help businesses manage attacks. But these solutions are reactive in that they rely on detecting the attack as malicious in the first place. What if your endpoint solution misses the attack without warning? Do you have a ‘defence-in-depth’ strategy or is there a single point of failure? Do you have visibility to know what’s happening? Are there other controls in place that can mitigate the threat? More attention must be given to ‘layering’ your defences to prevent or at least limit successful ransomware attacks before they do serious damage.
There are three elements of a cyber-attack sequence to focus on. The first is the prevention of any initial infection; and the second, containment or limitation of the spread, if one does occur. This then, needs to be coupled to the third element, recovery, which allows systems and data to be restored in the event of the failure of the other controls. The principles of effective risk management apply – triage the risks and manage them accordingly.
There are some important safeguards organisations can adopt to support each of these elements:
Monitor your controls closely. If one aspect of the chain of control stops working, IT teams need to know quickly to respond. A ‘cyber culture’ and making cyber security a board level issue will improve overall corporate preparedness.
Accountabilities for cyber security are changing. The board must receive reports that provide clear visibility of these controls, or KPIs, of the security posture of their environment. The measurement of these KPIs must become part of an active cyber security risk management process. Being able to monitor your readiness and assess your risk across these KPIs provides a ’multi-point’ early warning system and confirmation that an effective cyber security program is in hand.
The energy, oil and gas sectors face many challenges and there is no easy fix for cyber security risk management. A big ransomware attack can disrupt supplies and impact broader operations for a long time, as Maersk found to their cost.
The best way to protect an organisation is with strong cyber defences and controls, backed up by regular checks to mitigate any identified shortcomings as necessary. If one control fails to identify the attack, not all is lost, as other subsequent controls are available to limit its access and the progress of any impact. That way the risk of a successful attack is minimised and hopefully you’ll be on the front foot in an attack well before any disruption to your systems and operations.
Article originally published in Energy, Oil & Gas Magazine.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.