Wednesday, December 9, 2015

November news roundup: Why the energy sector is at the heart of cybersecurity discussions

In the wake of the ISIS-perpetrated Paris attacks and cyber threats against the U.K., government agencies are stepping up cybersecurity in a bid to detect and defend their critical infrastructure against a cyberattack by ISIS or other hacker groups. At the top of that list is the energy sector. Cybersecurity leaders from several countries have stated their concerns about a cyberattack against the power grid, refineries and oil or gas pipelines, and many of these infrastructures show serious vulnerabilities. For more on these and other stories that captured our attention last month, see our news roundup below. 

Marty Edwards, head of the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), recently spoke with Control Design about security vulnerabilities with IIoT. From unsecured Ethernet on system processors to using store-bought DSL routers to remotely monitor system remote facilities to BYOD, vulnerabilities are rampant. Edwards advises control systems designers to carefully weigh the advantages of connectivity against the potential risks.

Mixing ERP and production systems: Oil industry at risk, say infosec bods (TheRegister, Nov. 18, 2015) Security researchers from ERPScan described at Black Hat Europe how to hack into SAP systems and launch attacks at and take over industrial control systems in the oil and gas sector. “…insecure setups might be exploited to interfere with operational processes and lead to disruptions in production or even sabotage.” This is possible because there is a connection between the control system network and the ERP system through a firewall.

Michel Coulombe, director the Canadian Security Intelligence Service (CSIS), revealed his view that a cyberattack by ISIS or other extremist groups on the country's "critical infrastructure" is "a major threat;” however, others point to major gaps in Canada’s cybersecurity strategy, specifically related o critical infrastructure, such as pipelines.

According to a new report by the Government Accountability Office (GAO), of the 15 critical infrastructures examined, 12 were overseen by agencies without proper cybersecurity metrics or formal methods to essential to protect networks from cyberattacks. These findings may add fuel to the argument that critical infrastructure industries should be required to share cybersecurity data with the government.

The Defense Advanced Research Projects Agency (DARPA) announced the development of a new system designed to support the nation’s electric grid defenses. Called Rapid Attack Detection, Isolation and Characterization (RADICS), the system will detect and automatically respond to cyberattacks on U.S. critical infrastructure. Exact details of what the RADICS system will entail were not disclosed, but the agency will hold a Proposers Day on Dec. 14 to detail it further.


If we’ve learned nothing else in this business, it’s that cyber capabilities evolve slowly. Motive, however, can change in an instant. For organizations like ISIS, motive is in strong supply and the cyberattack capabilities necessary to wreak real havoc can be bought. We cannot sit idle while ISIS or other groups plot against our most critical infrastructures. Our very way of life depends on them.

For more on how our better-than-firewalls unidirectional gateway technology can improve critical infrastructure security, visit our resources page.