The majority of U.S. energy companies have now dealt with a cyber attack, according to Acting Inspector General Charles Edwards from the U.S. Department of Homeland Security (DHS). And that's why Edwards met with a Congressional committee last Thursday to push for advanced reporting of cyber incidents to strengthen energy companies' response readiness.
In addressing the committee, Edwards brought five examples of recent cyber attacks that hit important interests and stoked fears for for the future. The attacks range from emailed attempts at collecting information to full-blown system hacks, but they all indicate a need for security improvements. The following is a list of the cyber threats Edwards reported to Congress to make the case for greater information sharing:
1) In February 2011, the media reported that hackers had stolen proprietary information worth millions of dollars from the networks of six energy companies in the United States and Europe.
2) In December 2011, a sophisticated threat actor targeted the oil and natural gas subsector. Affected asset owners across the sector voluntarily worked with DHS during the investigation.
3) Throughout 2011, there were reports of spear-phishing via email in the energy sector; no negative impacts occurred to the companies’ control processes and operations.
4) In March 2012, an alert was issued regarding phone-based social engineering attempts at two or more power distribution companies. The callers attempted to direct the company personnel to take action to correct a problem that would have allowed the attacker to gain access to their ICS.
5) In April 2012, media reported that a Canadian ICS manufacturing company inadvertently planted a backdoor login account in its own operating systems, which contain switches and servers used in mission-critical communications networks that operate power grids and railway and traffic control systems. This account could have allowed attackers to access the devices via the Internet.
Further, Edwards noted that 55% of these attacks target industrial control systems (ICS) managing key resources and infrastructure. And assailants tend to be hackers, nation states, disgruntled employees, competitors or colleagues unwittingly transferring malware through a flash drive.
But even with this knowledge, many energy companies say they don't have enough timely information about cyber incidents to adequately mitigate attacks.
“Stakeholders are concerned that a great deal of time might elapse until (they) were made aware of the same or similar incident that could affect their systems,” Edwards said.
In this regard, Edwards recommends DHS improve its incident reporting and advanced notification systems to help companies determine an effective response.
Would you like to see more utility and energy news like this in your inbox on a daily basis? Subscribe to our Utility Dive email newsletter! You may also want to read Utility Dive's look at 6 smart grid startups to watch in 2013.
