Though the malware and techniques of cyber threats constantly change, reasons for intrusions remain fairly static. Understanding the reason for the threat allows us to make near-future predictions about the relative dangers presented to the energy sector ICS environment. Should we worry? On what should we focus? Knowing why the threat exists helps us to identify the high value items most likely to be targeted by different categories of cyber intruders.
The total number of intrusions against the energy sector has increased yearly since 2012, accounting for 46 intrusions reported to DHS in 2015. By categorizing the motivation behind (known and reported) intrusions we can begin to understand who might become a target and how to defend ourselves.
Intrusions fit into four general classes, in order of frequency:
- Cyber Crime
- Cyber Espionage
- Cyber Warfare
There are two significant impediments in analyzing private sector cyber threats. One is that many cyber threats are never detected. The other is that most organizations won't self-report unless a compelling reason exists. The willingness of organizations to share cybersecurity data is slowly increasing thanks to the Information Sharing and Analysis Centers (ISACs) and recent legislation.
Ransomware is designed to deny access to the data on a target computer until a ransom is paid; by far the most pervasive and expensive 2015-into-2016 cyber-crime threat.
The healthcare sector was the biggest target. Among buyers and sellers of illicitly gained personal data a healthcare record is worth roughly 16 times more than a credit record. The energy sector did not report any incidents of ransomware infection. Yet.
Risk transfer, through purchase of insurance, is one mitigation option. If you are a multi-billion dollar business and the ransomware is a mere annoyance (a few hundred dollars), it may be reasonable to pay the ransom in conjunction with other mitigation and use the experience as a learning opportunity.
Hacktivist attacks involve threat actors motivated by ideology in an effort to maximize disruption and embarrassment to their specifically targeted victims. They operate on a mob mentality with the aim of righting real or imagined social wrongs. The energy sector so far has largely been spared by hacktivists.
Once having penetrated, defaced, or damaged their opponents and exfiltrated any data, the hacktivist normally seeks some kind of recognition, especially media coverage. The public acknowledgement of the hacktivist's skills in itself is often enough to mitigate the attack.
Establishing a block list that will reject bogus IPs will help to repel hacktivist DDoS attacks. Avoid issuing malicious tweets or commentary on social networks to deny hacktivists an issue. A well-designed and exercised media response plan can negate a hacktivist's public support.
Sign up for Computerworld eNewsletters.