MNP’s Chris Law joined Francis Bradley on the Flux Capacitor podcast to discuss the changing cyber security landscape and the latest threats facing the energy and utilities (E&U) sector. Their sobering conversation touches on risks related to ransomware, operational technology, and insider threats, how the dark web has made it easier for cyber criminals to pull off crippling attacks, and more.
Read on for our full summary, including 10 action items every E&U leader should take to secure the business moving forward. You can also listen to the full episode below.
Get clear on the table stakes
Cyber threats go hand in hand with an increasingly digital world, and the risk will continue to rise as organizations progress along their digital transformation journeys. The E&U sector is especially vulnerable, with critical infrastructure being a lucrative target for organized criminal groups and state-sponsored hackers looking to further political ends.
Eliminating weak links
Chris points to integrating information (IT) and operational (OT) technology systems via internet-connected switches and sensors as a particularly sticky challenge across the sector. Legacy OT systems are designed with a much longer shelf life than IT, and older systems typically lack the security controls that are now standard. Bridging air gaps by haphazardly connecting OT to an IT network is a frequent error where he sees E&U organizations creating potentially catastrophic vulnerabilities.
Ransomware remains formidable
Ransomware is now involved in 80 to 90 percent of all cyber security incidents and, according to Chris, remains the sector’s most significant threat. However, he notes that conventional fraud and social engineering (e.g., phishing, malware, etc.) tactics are also trending upward. This has led many insurers to decrease payouts to their corporate clients — adding pressure on organizations to meet ransom demands, who otherwise risk permanently losing data and access to compromised systems.
Legislation isn’t a cure-all
Chris credits privacy regulations in Europe, Canada, and California for massively improving information security practices. Still, he notes that legislation isn’t universal and can be difficult to enforce outside the relevant jurisdictions. Moreover, these laws focus primarily on managing sensitive private information and minimizing its vulnerability to a breach. While compliance with frameworks like the GDPR or Law 25 will reduce the likelihood of identity or intellectual property theft, it can do little to help affected parties recover if a breach does occur.
Cybercrime goes mainstream
Among Chris’s most startling revelations is a sharp increase in smaller-scale attacks by less sophisticated actors in recent years. While these amateur hackers typically lack the scope and skill of criminal enterprises or state-sponsored groups, he cautions that they’re far from harmless.
Not only are these actors unpredictable — motives can range from boredom, malice, curiosity, and greed — but they can also expose security vulnerabilities and sensitive information. Failing to take this threat seriously could, therefore, lead to more brazen attacks and even bigger issues down the road.
He also highlights a growing concern around insider threats. While employees/vendors have always had privileged access to systems and information, their means and opportunity have evolved as subscription-based software and remote work become more commonplace. Leaders need to understand the motives for employees and vendors to commit fraud and cybercrime, how a perceived lack of oversight could embolden them, and best practices to prevent insider attacks.
An estimated 80 percent of attacks originate on the dark web.
Chris points to the rapidly growing dark web marketplace for hackers and products of cybercrime as an area where E&U organizations should be especially vigilant. An estimated 80 percent of attacks originate on the dark web. Users require little advance knowledge to access it. And, once on, they can anonymously browse unindexed websites and message boards for stolen login information, intellectual proprietary and personal data, along with cyber criminals for hire and how-to guides for aspiring hackers.
While unsettling, it’s not all bad news. Chris says E&U organizations can also use the dark web to their advantage by proactively crawling these sites to discover what hackers know about them. This information can help find, report, and recover from previously undetected attacks. It can also help organizations adjust cyber security priorities if they discover a potential vulnerability.
Playbook: Everything you need to know to reduce your risk of a cyber breach
Keeping up with the rapid pace of change
The pandemic-driven trend toward remote work has introduced numerous benefits, including more flexibility and autonomy for employees and a larger pool of talent for employers. Chris acknowledges there are numerous to hybrid work and that these models seem to be here to stay. Still, he cautions E&U organizations to be realistic about the ongoing challenges, including:
- Fewer opportunities to socialize: Remote employees may feel less connected to the organization than their in-person counterparts and more likely to pursue new opportunities. This can affect adherence to cyber security best practices by the disengaged team member and their replacement, who will be less familiar with the necessary procedures and controls.
- More technical vulnerabilities: Technologies to support remote collaboration can introduce inherent and user-driven security vulnerabilities that need to be factored into its adoption.
- Increased opportunities for fraud and intellectual property theft: Less direct oversight of employees can allow unscrupulous team members to steal sensitive information. Leaders can mitigate this risk by keeping close contact with remote team members and monitoring activity on company servers.
He also points to the recent excitement around ChatGPT and other generative artificial intelligence (AI) tools, with many E&U leaders seeing opportunities to augment or even replace areas of their workforce. While exciting and ripe with potential, Chris cautions against entrusting these tools with too much too soon:
- Leaking of proprietary secrets and intellectual property: Many generative AI tools retain a record of all inputs and use that information to train the technology and generate responses. Users should be cautious not to input sensitive information they would not want to be leaked to a competitor or other unauthorized user.
- Opportunities for plagiarism and intellectual fraud: Over-relying on generative AI in the workplace can also make it harder for employers to discern what work was performed by computers and what insights their employees created. While not explicitly a cybersecurity concern, this can form the basis for intellectual property theft and other technology-mediated fraud.
…employers must be more vigilant about protecting intellectual property and sensitive data, including setting policies and procedures — and providing training on the use of technology.
Action items
Given these trends, employers must be more vigilant about protecting intellectual property and sensitive data, including conducting regular risk assessments, complying with relevant legislation, keeping policies and procedures up to date — and providing training on the use of technology.
Following are some key action items and takeaways based on Chris’s conversation with the Flux Capacitor Podcast and cyber security best practices:
- Conduct regular cybersecurity risk assessments to identify critical assets and potential vulnerabilities, including insider threats.
- Review cyber security fundamentals, including firewalls, antivirus software, and regular software updates.
- Provide cybersecurity awareness training to educate employees about spotting and reporting threats.
- Use multi-factor authentication to enhance password security.
- Back up critical data offline to prevent unauthorized access and alteration.
- Consider real-time dark web monitoring to detect and prevent cyber threats.
- Review cyber security insurance policies to ensure these reflect your current risk profile and coverage requirements.
- Reassess hybrid and flexible work policies and whether they effectively mitigate cyber concerns.
- Enforce privacy regulations, leveraging best practices from Europe’s GDPR, Canada’s Law 25, and California's privacy bills to safeguard sensitive data.
- Monitor for conventional fraud and social engineering attacks in addition to ransomware.
You can listen to the full episode here.