Dealing with Cyber Security from the Perspective of the Energy Sector

When hackers broke into adult dating site Ashley Madison in June 2015, accessing the personal data of hundreds of thousands of people, the public snickered. No one laughed when a cyber-attack caused the power grid in western Ukraine to go down six months later, leaving about 230,000 people without electricity for half a day just before Christmas.

The incident affirmed what the global energy industry already knew:  anything can be hacked. Cyber security risks are mounting and changing on a daily basis, forcing governments, organizations and corporations to increase vigilance and cooperation as they seek to best secure critical infrastructure from cyber intrusions.

Last year the Canadian Cyber Incident Response Centre (CCIRC) handled 1,594 incidents with critical infrastructure organizations. A true number could be difficult to pinpoint as companies often don’t go public about cyber-attacks or breaches, while others might not have detected a cyber intrusion – yet.

“The Ukraine incident affirmed what the global energy industry already knew: anything can be hacked.”

“The Ukraine incident affirmed what the global energy industry already knew: anything can be hacked.”

“One thing in particular for the energy sector and the gas sector that is a little different from some other Canadian businesses is that we see relatively more of what we call persistent threats,” says Mark Matz, director of policy for national cyber security, a branch of Public Safety Canada.

“A persistent threat is when a hacker tries to gain access to a system and stays on that system for a long time – they are mapping out often what that network looks like to gain a better understanding of how systems are laid out, who has access to what and what other networks can be connected. And that’s the kind of behaviour that we see from some pretty advanced threats, often associated with a nation state.”

CCIRC works with private sector and infrastructure companies, taking calls about incidents and providing advice on cyber threats, risks and vulnerabilities. The free service, open to any company, works in close collaboration with various cyber emergency response teams (CERTs) and information sharing and analysis centres (ISACs) across  the “five eyes” community, an alliance between Canada, the United States, United Kingdom, New Zealand, and Australia which exists to share signals intelligence. Collaboration with our biggest trade partner is key, particularly given the integrated nature of critical infrastructure such as pipelines and power lines.

So when in 2012, the U.S. Department of Homeland Security issued a disturbing report on cyber security, Canada listened. The report was released after the department became aware of ongoing cyber intrusions against U.S. natural gas pipeline operators. The report pointed out how more sophisticated hackers and the emergence of specialized malware made pipeline SCADA operations increasingly vulnerable to cyber-attacks, particularly as more SCADA systems, which were historically isolated systems, are now increasingly becoming more connected.

Matz notes threats come from a number of sources, ranging from individuals to organized crime syndicates to nation states, and can take the form of an overt attack, insidious infiltration or sly second-or-third-hand approaches. Industrial espionage where proprietary information, trade secrets or intellectual property is the target, is a topline concern. Ransomware, where a criminal encrypts an organization’s files and/or computer system and demands money to release them is another.

Among the tactics are so-called watering hole attacks, used by cyber criminals where a predator locates a site frequented by a target, waits for it to appear and then pounces. This famously happened when one company was tapped into after the website of a nearby, frequented restaurant was hacked.

“The approach to cyber security has to be a risk-based because the threats are innumerable,” notes David McConkey, Canadian Gas Association manager, operations and safety. “You need to understand what your threats are, prioritize them in terms of the risks that they actually pose to your organization. And then take action to mitigate that risk as much as possible on the front end.”

“The first and foremost – and perhaps the most effective – measure to have in place is a strong culture of awareness, of vigilance, across the organization,” McConkey says.

Supply chain integrity also is increasingly garnering attention as companies work to ensure their vendors and manufacturers are cyber secure, from their own systems to ensuring the electronics being put in computers and SCADA systems are free from embedded malicious code.

“Threats come from a number of sources, ranging from individuals to organized crime syndicates to nation states, and can take the form of an overt attack, insidious infiltration or sly second-or-third-hand approaches.”

Layering protection, such as having firewalls and one-way information transfers, make it more difficult for an incursion to happen, say experts. There also is a better chance to detect an adversary if it is triggering a number of alarms instead of just one, which could also discourage a cyber intruder. Sharing when a cyber-attack or breach has happened with industry and government partners also is fundamental to keeping ahead of the curve.

Quebec natural gas utility Gaz Metro operates 10,000 kilometres of underground pipelines serving some 300 municipalities and more than 200,000 customers. Martin Vézina, senior advisor, IT security and compliance, believes Gaz Metro likely experiences the same type of threats as other North American utilities, making the sharing of information vital to maintaining a strong defense.

“There is no silver bullet in terms of information security. There is no single thing that you can do that will prevent all cyber attacks. We must also consider that cyber criminals are constantly adapting their tactics,” Vézina says. “And if we adapt, for sure they will adapt their response.

“That being said, where we have the biggest value to increase cyber security is information sharing. We need to learn from each other. Because Gaz Metro is not alone in this – other organizations face the same problem, so sharing is where we can get the biggest value. We must stay vigilant, we must also continue to improve our training, information security awareness to our users.”

“Layering protection, such as having firewalls and one-way information transfers, make it more difficult for an incursion to happen.”

“Layering protection, such as having firewalls and one-way information transfers, make it more difficult for an incursion to happen.”

After the 2012 report on cyber intrusions was released, the American Gas Association (AGA) set up its Cybersecurity Strategy Task Force. The work resulted in a three-pillar approach that continues to evolve, says Kimberly Denbow, AGA security, operations and engineering services director.

The first pillar is education and situational awareness to ensure the industry is well-informed about threats and what to do about them. This is followed by the second pillar, industry cyber security assessments, which helps gas utilities across the U. S. understand their vulnerabilities at operational and IT levels. Smaller utilities often work with limited resources, making continued education on cyber threats and remedies challenging, she noted.

The third pillar, technical and advocacy guidance, is an on-going effort to inform regulators and legislators about what industry is facing and how they are mitigating risk.

“Cyber threats are real, they are something every organization has to pay attention to, both for their own business and for their own customers to make sure that people have essential services available.”

The initial response to the 2012 report was to secure everything, Denbow recalls. “That doesn’t ensure security; you’re throwing resources everywhere rather than focusing resources at areas that need it the most.” That’s where the idea of technical guidance became a third pillar, promoting public private partnerships where best practices and information are shared through guidelines rather than regulation.

“In a constantly changing threat environment, regulations tend to work in geological time rather than cyber time,” Denbow says. “Public private partnerships help us reinforce the tools we have and keep us on the offensive rather than defensive side. To me that is the ultimate goal of the AGA’s security program, whether it is physical or cyber – to remain on the offensive rather than waiting and having to be on the defensive.”

“Promoting public private partnerships where best practices and information are shared through guidelines.”

“Promoting public private partnerships where best practices and information are shared through guidelines.”

Canada and the U.S. are continually working together to protect critical infrastructure, notes Matz. He points toward the Cyber Security Action Planw that resulted in the Canadian Cyber Incident Response Centre and the Department of Homeland Security delivering joint threat briefs, working together to analyze cyber threats and vulnerabilities, and exchange analysts.

A national critical infrastructure strategy and action plan sees all 10 critical infrastructure sectors, including energy, being briefed on threats. It also runs workshops, information sharing gateways tools and best practices. The Canadian Cyber Threat Exchange, launched in 2016, is a new model with a significant network.

“Cyber threats are real, they are something every organization has to pay attention to, both for their own business and for their own customers to make sure that people have essential services available,” says Matz. “Because often what we are talking about are things that can really affect people’s lives. It’s important both for the government and for businesses to be able to work together and collaborate to address this problem.”

Dina O’Meara is a former business writer with the Calgary Herald and is now a communications consultant.