The energy industry comprises thousands of companies that produce coal, oil, natural gas, nuclear power, and renewable fuels such as electricity from geothermal, hydropower, solar, and wind. This sector is responsible for creating, storing, transporting, and distributing energy through a complex network of dams, reservoirs, pipelines, and power grids.
Every aspect of the US economy relies on energy, and this dependence on uninterrupted power and fuel makes this industry vulnerable to both kinetic and cyber threats. Presidential Policy Directive 21 identifies the energy sector as uniquely critical because it provides an “enabling function” across all critical infrastructure sectors.
Nearly everything we do and every decision we make is dependent on the availability and price of energy. How we travel, what we eat, the temperature in our houses, and where and how we work. Affordable energy makes our lives better. Because in many ways, energy is “the capacity to do work,” it facilitates all other economic endeavors.
In the US, energy represents about 9 percent of the Gross Domestic Product (GDP). That means the energy industry contributes about $1 trillion to our economy each year. As a financial sector — an amalgamation of all energy-related industries — energy is the fourth largest in the U.S. economy, following communication services, consumer discretionary, and consumer staples.
The energy industry employs about 6.8 million people. That means 4.6 percent of the U.S. workforce has a job related to producing or delivering energy to the country. This guide will provide insight into the role of cybersecurity in the energy industry, the challenges that security practitioners face in protecting critical infrastructure, and some of the solutions and strategies used to mitigate cyber threats in this sector.
Cybersecurity within the energy industry
In 2018, the US Department of Energy (DOE) formed the Office of Cybersecurity, Energy Security, and Emergency Response (CESER). The CESER Blueprint states that the purpose of this agency is to meet the DOE’s energy security responsibilities and to safeguard critical energy infrastructure against growing and evolving cyber and physical threats.
The DOE recognizes that they can not effectively shoulder this responsibility alone. Its mission is to build partnerships among a broad set of stakeholders, including all levels of government, private industry, and academia.
The Cybersecurity & Infrastructure Security Agency (CISA) is tasked with strengthening the security of the cyber ecosystem to protect critical services and the American way of life. This agency’s National Risk Management Center (NRMC) works closely with the critical infrastructure community to identify and analyze risks to our nation and strategically manage security efforts.
Energy companies face cyber risk from vulnerabilities related to their IT systems, OT infrastructure, and supply chain partners. IT systems include software, hardware, and technologies used to gather and process data needed to run the business side of the enterprise. OT infrastructure comprises software, hardware, and technologies required to control physical devices such as pumps, motors, valves, and switches.
Examining attacks and breaches that have occurred in the energy industry illustrates the importance of securing the energy industry’s vast supply chain ecosystem. Energy companies acquire information, hardware, software, and all kinds of services, from third-party vendors worldwide. Threat actors can introduce compromised components into a system or network at any point in the system’s life cycle.
Supply chain sabotage is sometimes done unintentionally in the form of elements that do not meet current security standards or intentionally as part of a covert effort to facilitate a future attack. Attacks can come through software updates or “patches,” which are downloaded by the energy company, or through firmware that bad actors can manipulate to include malicious codes for exploitation at a later date. Adversaries may also compromise the hardware that energy companies install at their facilities.
Dragonfly ICS Cyber Attack – As part of an extended campaign during 2016 and 2017, the advanced persistent threat group dubbed Dragonfly targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors. Dragonfly infiltrated trusted third-party organizations which have lower levels of network security. They used these vendors as a staging platform to enter their intended energy company targets.
Gas, Oil, and Electric Company Ransomware Attack – In April 2018, an unknown perpetrator launched ransomware attacks against several natural gas pipeline companies. Five of these companies were forced to shut down or curtail their operations. It is unknown if any ransom was paid.
NotPetya – In 2017, what is believed to be a state-sponsored bad actor group hacked into the servers of a Ukrainian accounting software provider and sent corrupted software updates to the company’s customers. The ransomware-like virus, named NotPetya, spread globally and crippled operations across multiple industries, including energy, costing over $10 billion in damages. This attack illustrates how supply-chain vulnerabilities can affect entire industries worldwide.
In addition to securing their IT networks and OT infrastructure, energy companies must also understand their supply chain’s cyber maturity and security processes. Energy companies should conduct vendor risk assessments and gather ongoing intelligence themselves or through specialized cybersecurity firms and consultants.
Case study: Colonial Pipeline ransomware attack
On May 7, 2021, hackers accessed and locked down an estimated 100 gigabytes of data from the Colonial Pipeline IT network, leaving the company unable to operate critical systems needed to transport fuel. The Colonial Pipeline is the most extensive pipeline system for refined oil products in the U.S. It consists of two 5,500 mile-long tubes and can carry 3 million barrels (around 100 million gallons) of fuel per day to 260 delivery points across 13 states between Texas and New York.
This ransomware attack, attributed by the FBI to an Eastern European hacker group named Darkside, shut down 45% of the fuel for the East Coast for six days. As a result, panic buying and market reactions pushed gas prices to the highest level in over six years, created long gas lines, and left thousands of gas stations and consumers without fuel.
In a highly controversial decision, Colonial Pipeline’s CEO, Joseph Blount, authorized a ransom payment of $4.4 million. It is widely believed that paying a ransom will only encourage other hacker groups to follow suit and increase the threat of ransomware for everyone. Often cyber criminals do not – either because they can’t or because they won’t – release the encrypted data even after a ransom has been paid. In this case, it appears that Darkside did provide the means to decrypt the data, but the results were only marginally helpful.
In what was interpreted to be a note of contrition after the attack, Darkside admitted that they did not expect the results of their attack to be as momentous as they turned out to be. They indicated that they were disbanding or at least would exercise more discretion in future attacks.
It is not yet known precisely how the attack occurred. Colonial has hired a cybersecurity consultancy to investigate how Darkside was able to gain access to their systems.
What makes cybersecurity challenging within the energy industry?
Three primary characteristics make the energy sector especially vulnerable to cyber threats. Energy companies are a rich target for both nation-state adversaries and for-profit cybercriminals. Utilities have an ever-increasing attack surface arising from their difficult-to-harden dispersed geographic locations (hydroelectric dams and coal-fired generation plants are two good examples) and complex third-party supply chain relationships. And, lastly, electric-power and gas companies have unique interdependencies between physical and cyber infrastructure that make OT infrastructure and IT networks highly vulnerable to attack.
Because our energy infrastructure is a key target for nation-states, the U.S. has seen an increase in the frequency and sophistication of cyber threats leveraged against this sector. Unlike kinetic warfare, where an attack by an adversary against a U.S. interest is sure to bring a swift and decisive reprisal, nation-state adversaries today hide behind the near impossibility of 100 percent accurate attribution. They know that without certain attribution, the U.S. is unlikely to retaliate in any significant way.
A multi-threat environment that includes geographically dispersed targets is difficult to protect. Add to that the complexities of an industry with a mix of private and public ownership and third-party vendor relationships that extend beyond any geographical boundaries. It becomes clear why partnerships between the entities involved in this industry are crucial. No single government or private organization could possibly protect all of the various enterprises that make up the energy industry. It requires voluntary and active participation across the board.
The last layer of complex cybersecurity challenges for the engineering sector lies in the interdependent nature of many of the components that make up the industry. For example, a power outage in one region can impact the availability of electricity in another part of the country as smart grids work to provide adequate power to all users. Or, an incapacitated oil pipeline can cause not only shortages in one region but a spike in gas prices nationwide.
The global deficiency in skilled cybersecurity workers exacerbates the difficulties in meeting today’s energy industry challenges. America needs well-trained cybersecurity professionals. These professionals are required for both private industry and the government for the protection of critical infrastructure assets. CISA and DOE have firmly stated their commitment to strengthening the nation’s cybersecurity workforce through normalizing roles and working to ensure we have well-trained workers.
Cybersecurity solutions for the energy industry
The critical nature of the networks, systems, and equipment necessary to make our modern energy industry work, along with the unique security challenges this sector faces, means that well-developed strategies must guide the use of exceptional cybersecurity solutions. There is always a balance between security and convenience. For energy-related critical infrastructure, the scales consistently tip toward security, even if at the expense of convenience.
Virtual Dispersive Networking (VDN) – VDN technology divides a network message into multiple parts and encrypts each component separately. VDN routes these message components over many servers, computers, and even mobile phones. Dispersing the data over numerous different paths in this manner eliminates the possibility for a Man-in-the-Middle attack since hackers can only obtain a small chunk of the original data on any given pathway. This protection strategy renders any data obtained meaningless to anyone other than the intended recipient and nearly impossible to decrypt.
Hardware authentication – Hardware authentication is an approach to user authentication that is especially useful for geographically dispersed OT networks. This protection strategy relies on a dedicated physical device (such as a token) held by an authorized user, in addition to a primary password, to grant access to computer resources. While not as convenient as other authentication methods, the critical nature of energy industry equipment far outweighs the need for easy user login.
User-behavior analytics (UBA) – In the same way that sophisticated analytics are used to determine packet content in a firewall or anti-virus software analyzes a file system, UBA examines what a user is doing. By carefully studying how users typically interact with a given system, UBA can recognize abhorrent or suspicious behavior. Although it is much more sophisticated than this, a good example is an analysis of how quickly a user navigates the prompts of a system and the path the user takes to access sensitive information. UBA is ever-increasing its accuracy as it employs machine learning techniques to understand the intent behind user behavior.
Protecting America’s energy industry from cyber-attacks and other risks is a top priority for the Department of Energy. In March 2018, the DOE published a Multi-year Plan for Energy Sector Cybersecurity. This guiding document was developed to better coordinate critical cyber operations across the Department of Energy and other key critical infrastructure cybersecurity stewards. It outlines an integrated strategy to reduce cyber risks in the energy industry by pursuing high-priority activities coordinated with other DOE offices and the federal government’s strategy, plans, and activities.
Acknowledging that a strategy of trying to anticipate and then react to the latest cyber threats is inefficient, ineffective, and unsustainable, the DOE has embarked on a two-fold approach.
- Strengthen today’s energy delivery systems by promoting continuous improvement.
- Develop game-changing solutions that create inherently secure, resilient and self-defending energy systems.
The DOE’s cybersecurity strategy meets the objectives of Executive Order 13800, which directs all federal agencies to use their authority and capabilities to support the cyber risk management of critical infrastructure owners and operators.
The security of the nation’s energy industry is vital to our economy and way of life. The industry is a highly complex network of private and public entities, each with its own leadership and goals. Multiple governmental departments and agencies have a stake in setting and enforcing security and cybersecurity standards.
While there have been physical attacks against this sector, such as the attack against the California Pacific Gas & Electric Metcalf substation in 2013 – the vast majority of threats to this industry come from cyber vulnerabilities. Cybercriminals, as well as nation-state bad actors, see the energy industry as a key target.
Opportunities for cybersecurity professionals exist throughout the industry. Governmental agencies are continually looking for workers with cybersecurity skills and experience. Private enterprises that operate power and pipeline companies need the best security practitioners and technology solutions.