The oil, gas and power sectors, though not impervious to a cybersecurity breach, are ready to act if Russia attempts to attack their networks and have plans in place to thwart or mitigate disruptions to operations, industry and cybersecurity experts told S&P Global Commodity Insights.
Not registered?
Receive daily email alerts, subscriber notes & personalize your experience.
Register NowThe cyberthreat to US energy assets has been heightened by the possibility of retaliatory cyberattacks from Russian actors as the US, along with European leaders, continues to ratchet up sanctions and tighten penalties on Russian President Vladimir Putin's inner circle over the invasion of Ukraine.
But risks in the energy space are not new as power, oil and gas infrastructure have long been among attractive targets for both nation-state and criminal hackers. And the industries have been continuously working on beefing up their defenses well before Russian troops entered Ukraine.
"That's not to say the industry's cybersecurity is invincible and that some disruption to a pipeline or to the electric grid is impossible," Ben Miller, vice president of professional services and R&D at Dragos, said.
"We're in an unprecedented time right now; however, cybersecurity hasn't suddenly changed," he continued. "Industry must continue to understand the threats focused on disrupting industrial control systems and quickly grow their visibility to monitor for these threats to their industrial environments."
'Abnormal scanning'
The White House stepped up its warnings of a possible Russian cyberthreat to critical infrastructure earlier in the week, though it continues to contend that there is no evidence of any specific cyberattack underway or imminent. Media reports also flagged an FBI advisory warning the private sector of "abnormal scanning" activity from Russian-based IP addresses on the computer networks of at least five US energy companies and 18 other companies that could be precursors to hacking attempts.
But Dragos' Miller cautioned against overreaction "to simple scanning activity that may be sourced from any particular country."
"It's something that is a common occurrence and not really indicative of anything," he said. "That said, the White House warning should draw attention as they were clearly noting an intent to go after US-based critical infrastructure. I fully expect government agencies including CISA and DOE are working closely with industry behind the scenes... We're just seeing a sliver of work that's being done by both government and industry."
An energy industry source who spoke on condition of anonymity because of the sensitivity of the topic, similarly described the scanning at issue as a technique used by even "basic" hackers.
The source, who was privy to the FBI advisory and in contact with some of the companies who were scanned, said no company credentials were compromised and no system access was attained from the scans.
"That's the kind of hacking and penetration attempts that we see all the time," the source said. "That's not new. The fact that they came from Russian IP addresses was something that certainly set off the government because that's what they're looking for right now."
Heightened vigilance
The source added that the heightened state of vigilance created by the Russian threat has encouraged an increased level of cyber incident reporting for a lower threshold of incidents as the Biden administration seeks to stay ahead of any escalation by Russia on the cyber front. Whereas companies may not have previously reported an unsuccessful hacking attempt, more are doing so now given the past few months' guidance to flag anomalous cyber activity that could be an indicator of a more serious, future intrusion.
Rajiv Pimplaskar, CEO of Dispersive Holdings, said that the "large Internet of Things estate" associated with energy companies' operations technology can make those networks hard to patch and mask underlying security vulnerabilities.
"Companies should look at bolstering their communications security with advanced capabilities like managed attribution, which obfuscates source-destination relationships and sensitive data flows making the environment hard to target," he said. "Multipath VPNs can also help disperse data traffic across multiple routes, thereby making it hard for a bad actor to intercept or disrupt the entire payload."
Consideration must also be given to who is behind the threat, according to Nasser Fattah, North America steering committee chair at Shared Assessments, a leader in risk management mitigation and assessment.
The "intent is not financial gains" for Russia, he said. The "intent is to cause massive disruption and, if possible, make equipment irrecoverable."
And the energy sector, he said, is challenged by "infrastructure that has been in place for decades [and a] lack of funding and security resources to best protect and respond."
Up to the task
But the Electricity Subsector Coordinating Council, Association of Oil Pipe Lines, American Petroleum Institute and others across the energy landscape issued statements that they are up to the task.
Each referenced their close working relationship with federal partners, such as the Department of Energy and Cybersecurity and Infrastructure Security Agency, to ensure companies have the latest threat intelligence information, implement federal security directives and develop coordinated responses to incidents.
"Companies are also utilizing their own networks, resources and partnerships to posture themselves to best defend against any cyber threats," API Director of Operations Security and Emergency Response Suzanne Lemieux said.
John Stoody, AOPL's vice president of government and public relations, offered that "pipeline operators have vigorous cybersecurity programs consistent with major corporations and infrastructure operators."
An ESCC statement touted electricity providers' continuous threat monitoring capabilities and collaboration with the Electricity Information Sharing and Analysis Center for analyzing electricity-specific physical and cyber threat information.
Cyber incident response plans are being reviewed and refreshed and companies, large and small, are taking advantage of CISA's "Shields Up" guidance and resources to bolster their cybersecurity posture and protect their most critical assets, industry players said.