As the principal adversary hunter at Dragos, Joe Slowik is tasked with finding, tracking, and deleting malicious actors.
Having seen firsthand the havoc that industrial control system adversaries can wreak on organizations both large and small, Slowik does not mince words: the threats and risks are real and potentially life threatening—i.e., sabotage of worksite safety systems. The saboteurs are exhibiting boldness, holding entire systems hostage with payment demands. However, Slowik is equally quick to point out the positive: Significant developments continue to be made, including affordable protection for smaller companies.
A Trained Eye
Prior to joining Dragos, Slowik ran the Computer Security and Incident Response Team at Los Alamos National Laboratory within the U.S. Department of Energy (DOE). While at the DOE, he worked to shift security operations from passive response to events to a threat-focused, hunting operation designed to catch and mitigate intrusions as early as possible.
Before working at the national laboratory, Slowik served as an information warfare officer in the U.S. Navy, where his duty stations included the Navy Information Operations Command Maryland, the U.S.S. Wayne E. Meyer, and the Navy Information Operations Command San Diego. In addition, Slowik deployed as part of a joint task force to Afghanistan from 2011 to 2012. Slowik joined Dragos in 2017.
Founded in 2016, with global headquarters in Hanover, Maryland, and a regional office in Houston, Dragos provides industrial asset identification, threat detection, and response to help organizations stay ahead of adversaries, https://dragos.com/about/. In August 2019, Dragos completed a threat perspective specifically for the oil and gas industry.
Valuable Target
A disruption event from a cyberattack at an oil and gas facility can occur at any point across the three major stages of oil and gas operations: upstream, midstream, or downstream, according to the threat perspective summary.
Attackers are no longer concentrating on the “super majors,” which oftentimes have robust defense systems. Malicious infiltrators are also setting their sights on smaller companies and contractors, Slowik said.
“It’s really a devastating potential campaign for small- and medium-sized businesses involved in the oil and gas sector,” Slowik stated. The financial impacts of “simple” attacks—for instance, email compromise to cause companies to wire money out to fraudulent accounts—can unfortunately put these companies out of business. The less-sophisticated, low-complexity attacks can be potentially fatal to these smaller entities.
On a related note, many oil and gas companies, both large and small, are using automated processes in the name of cost-savings, and rightfully so. However, an increased use of automation has served to “open up a larger attack surface,” Slowik remarked.
Smaller organizations may live by computers and automation, whether these systems run pumps or run measuring systems for their operations, or whether they do their accounting and financial bookkeeping, Slowik observed. There’s no way of really getting around automation, and in this realm, the smaller companies face the same risks as the larger companies.
The good news is, the more modest entities have access to protection tools, Slowik offered. Oftentimes this begins with asking smart questions.
1. What is the right amount of automation or information technology I need to run my business? In other words, adopt only what is necessary so that you are not increasing your attack surface unnecessarily.
2. Am I setting up my systems and configuring them appropriately?
3. Are my critical assets exposed—not just financial records, but actual production gear? Are these assets connected to a network that is accessible, meaning my fundamental way of generating revenue is at risk? Slowik suggested keeping these systems separate.
While the risks and threats are very real, there have also been significant developments that smaller and medium companies can take advantage of, Slowik emphasized. It’s not all doom and gloom, but it will take an effort to build resilience.
The New Norm
The bold heading atop the “Trend Micro Security Predictions for 2020” report is comprised of three little words—some 10 letters total that leave little doubt as to the need for cybersecurity awareness. THE NEW NORM.
“The risk of becoming a victim to a cyberattack has increased steadily over the last 10 years,” reported Ed Cabrera, chief cybersecurity officer at Trend Micro. “However, the operational risk of cyberattacks has increased significantly.”
Trend Micro was co-founded in 1988 to develop antivirus software but has expanded over the last three decades to provide hybrid cloud security, network defense, small business security, and endpoint security. www.trendmicro.com
The company has offices worldwide with employees in 50 countries. Dallas serves as the North American Headquarters.
Trend Micro documented a 77 percent uptick in ransomware attacks from the second half of 2018 to the first half of 2019, Cabrera shared.
“The major Ransomware-as-a-Service [RaaS] providers were largely responsible for these increases resulting in huge profits,” he continued. “The threat actor group behind GandCrab reportedly raked in over $2 billion before the group self-reported their ‘retirement.’ At one point in 2019, the cybercriminals behind Ryuk, the highly targeted ransomware, apparently made over 705 bitcoins valued today at $6.5 million.”
Ransomware and Business Email Compromise (BEC) attacks are the two types of cyberattacks that disproportionately affect small- to medium-sized businesses (SMBs), Cabrera noted.
“Ransomware campaigns can cripple unprepared SMBs and even municipal and state governments as we have seen all too well in 2019,” Cabrera observed. “In traditional data breaches, the impact can be delayed. However, the impact of digital extortion through ransomware is immediate for victims, and the payout can be just as quick for the cybercriminals.”
With BEC attacks, cybercriminals leverage social engineering techniques, such as impersonating executives through well-crafted emails inducing unsuspecting subordinates to wire transfer company assets fraudulently overseas, according to Cabrera. As reported by the FBI, BEC attacks resulted in over $26 billion in losses to their victims between 2016 and 2019.
Trend Micro Security Predictions for 2020, which includes specific references to energy attacks, offers the following perspective applicable to both the majors and the SMBs:
Supply chain attacks over the years have taken many forms, including hijacking a software update and compromising third-party services to get malicious code to target companies. The latter is what we foresee will most affect small- to medium-sized businesses (SMBs) in 2020. If SMBs outsource parts of their infrastructure or operations, these third parties can become springboards for compromise. Compromise in an MSP’s supply chain can spread to other parties downstream. Malicious actors will target third-party service providers and load malicious code into their sites with the aim of harvesting customers’ sensitive data, among others. Attackers will find distributors or suppliers with weak security postures to spread malware to customer organizations… This trend will continue, if not pick up pace. To prevent being hit by such malware attacks, enterprises should perform regular vulnerability and risk assessments and implement preventive measures, including thorough checks on providers and employees who have system access. https://documents.trendmicro.com/assets/rpt/rpt-the-new-norm-trend-micro-security-predictions-for-2020.pdf
Cabrera recommends that all organizations regardless of size should first focus on properly assessing the risk they face based on the threats they see and the vulnerabilities they have.
“One such way to do this is by adopting the NIST Cybersecurity Framework for Small Businesses,” Cabrera suggested. “This framework is incredibly useful in assessing risk and also aids SMBs in their effort to build the best possible and proportional cybersecurity program.” The National Institute of Standards and Technology Act requires the National Institute of Standards and Technology (NIST) to consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure. https://www.nist.gov/topics/cybersecurity.
Federal law requires the NIST to share resources that must be: (1) technology-neutral, (2) based on international standards to the extent possible, (3) able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems, and (4) consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014. Additionally, the resources must include case studies of practical application.
The Trend Micro 2020 predictions encompass both SMBs and the majors, alike. For example, The New Norm will be continued attacks that could bring productivity to a grinding halt: “Critical infrastructures will be plagued by more attacks and production downtimes. Utilities and other critical infrastructures (CIs) will still be viable targets for extortionists in 2020. Extortion through ransomware will still be cybercriminals’ weapon of choice as the risk for companies is high. Prolonged production downtime translates to hefty monetary losses; production lines can be debilitated for weeks, depending on how long system restoration takes.”
Legal Expert Offers Tips to Mitigate Cyber Sabotage
Upstream, midstream, and downstream companies and assets are at risk of cyber industrial sabotage as operations are increasingly monitored and controlled remotely, noted Paul Tiao, partner, Hunton Andrews Kurth LLP.
Remote monitoring tends to focus on temperature, pressure, chemical composition, and leaks, while remote controls cover a broad range of operations that includes valves, pumps, hydraulic and pneumatic control systems, and safety and emergency systems, Tiao continued.
“Cyberattacks that disrupt, modify, or take over remote monitoring or control systems can cause significant physical damage to industrial assets and the areas around them,” he emphasized. Other forms of industrial sabotage attack include the use of destructive malware to modify or wipe specific or large amounts of data on sensitive corporate or operational computer systems.
“These attacks can disrupt business or operations for extended periods,” Tiao emphasized.
Hunton Andrews Kurth LLP’s Energy Sector Security Team assists companies in protecting the security and resilience of their critical infrastructure facilities in the face of these physical and cyber threats. https://www.hunton.com/en/industries/energy-sector-security-team.html.
In addition to industrial sabotage of operations, other more conventional areas that are affected by cyberattacks include the theft or publication of customer and employee personal information, sensitive business information, and intellectual property, Tiao noted.
The potential damages include disruption of services and business; physical destruction of operational and business assets; permanent or temporary loss or modification of sensitive data; loss of trade secrets, sensitive business information, and personal information; reputational harm; and costs associated with the response to the attack, recovery, and litigation involving customers, third parties, and regulators.
Increased Emphasis
“Based on my work in this field, oil and gas companies are increasingly focused on mitigating cybersecurity risks and rapidly gaining maturity as they take advantage of lessons learned during the last 5-10 years by the government and other industry sectors,” Tiao offered. “They are investing in technical, human, and administrative solutions, and moving quickly to address this threat on multiple fronts.”
That said, these companies, like all sectors and government agencies, continue to lag behind the attackers, Tiao observed. They need to continue to mature their systems to address the constantly evolving threat.
“Speaking as a lawyer and a former member of the intelligence community, oil and natural gas companies need to proactively address the legal risks associated with cyber threats and participate in government and industry programs that make current cyber threat and vulnerability information available to industry,” Tiao suggested. Companies can help mitigate this risk by:
• reviewing and updating their information security policies and governance structure every year;
• making sure their contracts with key vendors include strong cybersecurity and privacy protections;
• negotiating for strong cyber insurance coverage across their entire insurance portfolio;
• updating their incident response plans at the enterprise and the IT levels;
• exercising their incident response plans multiple times each year to address different scenarios; and
• pre-positioning themselves to address a cyberattack by retaining outside legal and forensics experts to be on standby in the event of an attack.
___________________________________________________________________________________________________
Julie Anderson, based in Amarillo, is editor of County Progress Magazine, and is well known to many readers of PBOG as the prior editor of this magazine.