Our increasing dependence on technology and web-based communication has opened the door for cyber security threats. Cyber criminals are on the increase, and energy and utility companies are high value targets.
Technology and data have completely transformed the power and utilities sector, allowing companies to use information to improve and expand services, and better engage with customers. However, this also brings added regulatory obligations around privacy and security — and the risk that sensitive data will be subject to increasingly sophisticated cyber attacks.
As attacks grow in sophistication, IT infrastructure becomes more complex and the value of data increases, utilities’ security teams are under more pressure than ever. From staff that hold valuable oil and gas exploration information, to customers who could be conned into giving away their money to a criminal disguised as their trusted energy firm, now is the time for utility companies to take responsibility for the safety of their data.
The recent power outage in western Ukraine is suspected to be caused by a cyber attack. If so, it will be the first-known power blackout caused by a cyber attack – one that shut down seven substations and left over 80,000 homes and businesses without electricity for over six hours. While this might sound like the plot of a dystopian novel, this kind of attack on an electrical grid or water system could be in our future if critical infrastructure sectors don’t improve their security systems.
The basics of this attack seem to have stemmed from a form of hacking, known as ‘spear-phishing’. Spear-fishing targets specific people within an organisation and trades on human inquisitiveness and suggestibility, by simply asking those individuals to open an email. They are also made to look credible through the hackers’ use of personal information, such as using the recipient’s name.
Once opened, the email will contain a link or an attachment that, if clicked or opened, takes the victim to an apparently-authentic website but which, in fact, holds malware. This set of coding allows the hacker to take over the computer, remotely. In addition, they often use decoy documents to hide signs of malicious activity.
Utilities companies are at immediate risk, and must act now to:
- Identify Vulnerabilities
Hiring independent security professionals is the best way to identify the weaknesses in your security systems and protocols. Spotting these risks is the first step in learning how you can protect your business against hackers.
- Share Safely
The sharing of data between organisations and businesses is commonplace and takes place on a daily basis. However, if you are sharing information with another company and that information is insecure, you are failing in your duty of care to that business. In addition, this could result in damage to your own brand. Before sharing, check that you are only sharing information that absolutely needs to be shared. Next, check that this information is protected to the utmost of your ability.
- Consider the Human Element
A recent government study revealed that “50% of the worst breaches in the year were caused by inadvertent human error.” Bad business practice, in the form of factors, such as lost memory sticks, poor physical security, talking about business matters in public and devices that aren’t password-protected can put your data at risk and, yet, are relatively simple matters to remediate.
Utilities companies can no longer afford to ignore the threat of cyber crime, and must prioritise preventing attacks instead of just dealing with the fallout should their business be targeted.
By Chris Underhill, Chief Technical Officer at Cyber Security Partners
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.