North American Electric Cyber Threat Perspective
A report carried out by a critical-infrastructure security firm, Dragos reveals that the energy infrastructure sector (oil, gas electric, etc.) continues to be a target of nation-state attacks.
Highlights of the report include:
Critical infrastructure remains a target and many are not prepared for focused attacks. Within the past year, more than half of energy companies experienced an operational shutdown or data loss of some kind. The report says that of those surveyed, only 42% were prepared for an attack.
Groups addressed include those that have ties to Iranian-sponsored cyber-espionage cells like Advanced Persistent Threat 33 (APT33) and Elfin.
The report does not directly connect activity to specific threat actors but suggests that the rise in activity coincides with increased escalations between the US, Iran, and the Middle East.
These tensions expand the opportunities for exploitation under the guise of false flags. This happens when another nation-state (i.e. Russia) will masquerade themselves as another group (i.e. Iranian hackers) in order to access sensitive government, military, and commercial information.
Supply-chain and third-party compromises remain a present risk and threat to the energy sector.
Cyberattacks are increasingly used to project symmetric and asymmetric power, particularly by targeting the energy domain.
This comprehensive overview of the top threats facing critical infrastructure is meaningful in informing organizations working with the energy sector, allowing enterprises to be more aware of the tactics, techniques, procedures, and the behaviors of threat actors. The report also provides several defensive recommendations to help combat observed threats.
As of yet, adversaries have not successfully disrupted energy sector operations in North America. However, experts suggest it will happen eventually, and is likely to be deployed across the entire sector with disruptive and destructive consequences unless we become more proactive in our cybersecurity.