Electricity Infrastructure Risk: Understanding cyber threatsSponsored
These days most businesses rely on digital technology to help them be more efficient, reduce costs and deliver better services.
Yet there is often a hidden down side to this reliance on technology - the vulnerability to cyberattacks.
The increasing number of high-profile cyber incidents, notably the recent WannaCry ransomware attack in May 2017, have highlighted the vulnerabilities of businesses and industries in this digital age. Yet it seems that business leaders have become complacent about managing these risks.
According to Lloyd’s ‘Facing the cyber risk challenge’ survey 92% of businesses had experienced a data breach in the past five years, yet only 42% are worried about suffering another breach in the future.
In this era of rising cybercrime, it is surprising to find 58% of business leaders seem to be unaware of the security risks facing their organisations. This degree of complacency is especially concerning when you consider many high-profile incidents have resulted in significant impacts on the bottom-line or share price of breached organisations and which, in some cases, have led to senior executives losing their jobs.
Juniper Research predicts that cybercrime will reach USD$2 trillion in corporate losses by 2019. These losses may be the result of an organised cyberattack, the actions of a disgruntled employee or a simple mistake, e.g. sending the wrong email attachment or leaving a smartphone on the train.
For the energy sector, cybercrime can have a greater impact than many other industries. Cyber-terrorism can cause sustained outages which disrupt energy supply to customers, take assets offline and temporarily damage infrastructure. When the Ukraine power grid was attacked at the end of 2015 hackers managed to take 30 substations offline, affecting 230,000 consumers, blocking telephone networks and reprogramming 16 critical devices before operators could regain control. Such attackers take a calculated approach and their actions are carefully planned and synchronised, using a combination of social engineering and technical skills. Social engineering skills are used by attackers to manipulate people into revealing sensitive information, and technical skills are used to exploit vulnerabilities in software and hardware systems. Cybercriminals are becoming more sophisticated and their attacks are getting harder to detect and contain. Business and industry need to be prepared, and keep themselves protected from such threats.
You may be surprised to find that the biggest security threat facing your organisation is the ‘trusted insider’ threat. These are the people who directly access your network and sensitive data - employees, contractors, partners and third-party vendors. It's not that people are generally malicious; human error or ignorance are behind many breaches. That's why investing in ongoing, regular security awareness education and training is so important.
Some ‘trusted insiders’ do intentionally engage in unauthorised or illegal activities, such as disclosure of proprietary information, industrial espionage, theft and fraud. In these circumstances, the insider often exploits their legitimate access for one or more unauthorised purposes. It isn’t uncommon to find a pattern of past behaviour raising security concerns when a malicious insider is eventually detected. That’s why investing in robust security monitoring is so important. Even in large energy corporations, all it takes is one bad action, one wrong click of the mouse, to cause significant loss and damage to your revenue and reputation.
Security mechanisms, such as passwords, are intended to safeguard data and accounts, but stolen passwords are a gold mine for cyber criminals. It isn't just the passwords themselves that are valuable, but an attacker gaining access to these accounts can then extend their access to other accounts with greater privileges and deeper implications. For example, an executive at Shipley Energy fell afoul to a phishing scam and, by lurking in the background, reading her messages and getting to know her, a hacker could pose as her to gain access to financial accounts. The Target store security breach is perhaps the most infamous example, where intruders were able to access 40 million debit and credit card accounts by initially obtaining the user name and password of a third-party ventilation system contractor. Estimates from industry analysts suggest that Target could be facing losses of up to $420 million as a result of this breach. That's a hefty price to pay for one mistake, but that is the risk that businesses are facing in this digital age.
In response to the increasing sophistication of cybercriminals, there are a growing number of ways to control access and defend against attack. Now user access can be controlled not just by passwords, PINs and fingerprints (e.g. for unlocking your phone), but through broader contextual security techniques. These techniques broaden the focus of authorised access from just the user trying to gain access to the context within which they are trying to gain access. This context could be as simple as where they are when they access, what type of device they are using and the time of day they are trying to access your systems. These simple contextual security elements can be quite powerful, especially when combined with more sophisticated techniques, like real-time facial comparisons, iris scans, or keystroke dynamics, where the manner and rhythm with which someone types are used to identify the user. These approaches tighten controls and add extra layers of protection by ensuring that authorised users only have access when and where they should.
It’s not a matter of if your business will be subjected to a cyber-attack; it’s a matter of when. The question is, are you ready? Now is not the time to be complacent. Cyber threats are real and can have devastating implications for your business. Are your assets protected?
Contributed by: Middleware New Zealand Ltd. If you would like more information or a copy of this article please click here
