In any industry, cybersecurity threats lurk around every corner. Cybersecurity breaches are costly. In 2021, the average cost of a cybersecurity data breach was $4.24 million, and can substantially damage a company’s reputation in addition. Among 17 industries surveyed by IBM, the energy sector has the fifth-highest average cost associated with a data breach, trailing only the healthcare, pharmaceutical, financial, and technology industries. With security vulnerabilities in the energy sector only increasing as more and more systems move online, many providers are considering updating their cybersecurity measures in order to avoid falling prey to attackers.
The good news is that energy providers have options for reducing both the likelihood and impact of a potential data breach. Comprehensive cybersecurity measures don’t just consider one layer of the software supply chain or address a single point of failure in isolation. Instead, they view a system and all of its parts in context, considering no vulnerability too small to address, and no system too big to secure.
In the past few years, a number of high profile cybersecurity breaches have plagued the energy sector. Here are a few situations that may have been proactively avoided by setting more comprehensive measures in place ahead of time.
Colonial Pipeline Ransomware Attack
In May 2021, the 5,500-mile Colonial Pipeline, which brings oil from the Gulf of Mexico to the East Coast, fell victim to a ransomware attack. A hacker group identified as DarkSide gained access to the Colonial Pipeline network and gathered 100 gigabytes of data in two hours. The hackers then left ransomware on computers throughout the network, demanding cryptocurrency.
Unsure of the full extent of the situation, officials shut down the Colonial Pipeline in order to contain the possible threat to national security. They also contacted the Departments of Energy and Homeland Security, the FBI, and the Cybersecurity and Infrastructure Security agency. Then, they paid the hackers in order to access the decryption key. On May 12, the pipeline resumed operations as normal, but not before producing oil shortages all over the East Coast.
Cybersecurity firm Mandant found that the hackers had gained access to the Colonial Pipeline network through a leaked password. The password granted access to the pipeline’s virtual private network (VPN), through which hackers were able to steal data and distribute ransomware. The source of the initial breach is unknown, but Mandant has said it’s likely the password had been used by an employee for another website, allowing hackers to infer the employee’s password on the pipeline’s systems. The Colonial Pipeline incident is the largest-ever publicly disclosed cyberattack against U.S. infrastructure.
Pacific Gas and Electric Fined 2.7 Million Dollars
Smart meters, which transmit energy usage data via radio waves or the Internet, have brought with them a new set of security risks. San Francisco energy company Pacific Gas and Electric (PG&E) was recently fined $2.7 million by federal security regulators for a leak of confidential data associated with their smart meters.
The company allegedly lost control of over 30,000 pieces of information through their third-party contractor, when that contractor copied information from PG&E’s network to its own network. The contractor’s network was hosted publicly online, and did not require a login to access. PG&E initially claimed the data was fake — dummy information generated to test a data storage system — but later reversed this claim.
Cybersecurity Breaches Require Multiple Points of Failure
In both of the above case studies, multiple points of failure interacted to bring about a disaster. The Colonial Pipeline oil shortage mIgor have been prevented if employees had been trained never to reuse passwords, or if employees knew how to deflect phishing attacks (even those targeting personal accounts not related to their work). Alternatively, the crisis may have been averted if the fate of the entire system weren’t resting on the security of a single VPN, or if surveillance measures were in place that gave authorities a better sense of exactly which systems had been accessed, so that they would know whether or not shutting down the whole pipeline was necessary.
Similarly, PG&E could have collaborated with third parties in a manner that did not require such extensive data sharing, used smart meters in a way that did not require the use of third parties, or foregone smart meters altogether. Another solution might have been to brief third parties more thoroughly on when (or when not) to duplicate data. PG&E also could have conducted a more thorough investigation of the nature of the data before releasing their initial statement, to avoid falsely claiming the data itself was fake. Any of these solutions could have been prevented or, at the very least, mitigated the damage associated with these data breaches.
Online Cybersecurity Requires a Holistic Approach
With these and other security risks, the threats do not arise from a single point of failure. Instead, each threat results from the compounding of different weaknesses and vulnerabilities. Security threats can emerge from failures in a system’s internal development, the conduct of its users, or its relationship with a third party. Energy sector security depends on proactive attention to detail on all sides of a company and its collaborators’ operations.
Effective online security is an essential tool for energy providers looking to prevent the kinds of attacks suffered by the Colonial Pipeline or PG&E. Kiuwan provides essential security services that ensure the safety of an energy provider’s code and online systems.
Kiuwan Can Help Mitigate Cybersecurity Risks
Kiuwan’s unique development, security, and operations (DevSecOps) approach highlights the importance of considering a system’s security holistically. No vulnerability is considered in a vacuum. Rather, Kiuwan recognizes and tends to the fundamentally integrated nature of energy security.
Threats to energy cybersecurity always depend upon exploiting multiple points of failure. In order to mitigate these threats, energy providers need a cybersecurity team that sees the big picture.
Kiuwan’s advanced cybersecurity services include robust tools, like software composition analysis (SCA) and static application security testing (SAST), that analyze and identify potential vulnerabilities in code security.
Kiuwan’s services provide extensive and digestible reviews of every step in the software supply chain, and deploy powerful solutions to counteract the most common cybersecurity threats. Contact Kiuwan for a free demo.