Held up without a gun

Materials World magazine
,
1 Sep 2017

The energy and mining sectors have long been a tantalising target for cyber attacks. Khai Trung Le looks at attacks over the last 12 months and emerging preventative measures.

It seems fitting that a major cyber attack on an oil producer was first announced on Twitter. In July 2017, oil company Rosneft, majority-owned by the Russian Government, declared, ‘A powerful hacker attack has been carried out on the company servers,’ with statements later verified through a spokesperson. Rosneft was quick to quell potential rumours of any effect on production, noting, ‘A hacker attack could have serious consequences, but thanks to the fact that the company switched to a standby system for managing production processes, neither the production nor the preparation of oil was stopped.’

Cyber attacks are increasingly common, and while they have recently brought security to the public consciousness, the energy and mining sectors have long been lucrative targets for hackers. Their relationships with governments and integration with global supply chains heighten the impact of disruption, and companies are becoming more reliant on digital systems and commercial software that may prove to be points of weakness in a company’s infrastructure.

Their appeal as targets is only likely to escalate. Rob Labbé, director of information security at Teck Resources, said, ‘In five to seven years, it will become impossible to run a safe and environmentally sustainable mine – let alone a productive one – unless it’s also secure. I think the [mining] industry is starting to realise that.’

Down in the Ethereum mines

Cyber attacks can take many forms, but perhaps the most commonly recognised is the data breach – accessing private servers for data or information, and threatening to distribute the stolen data unless a ransom is met.

In 2016, Goldcorp, one of the largest Canadian mining companies, was targeted and breached by anonymous hackers, who managed to acquire 14.8 gigabytes of private information including payroll, budget documents, employee passport scans and bank account details. After the initial leak, the hackers claimed to be planning several more, stating on their website, ‘The next [data] dump will include 14 months of company-wide emails, containing some good old fashioned racism, sexism and greed.’

Companies rarely disclose how hacking attempts are resolved, but research from cyber security news site Cyberscoop suggests that 70% of victims prefer to capitulate to the demands of hackers rather than attempt countermeasures or inform authorities, with the popularistion of crypto-currencies such as Bitcoin and Ethereum making it all the harder to track attackers after their demands have been met. 

The USA nuclear sector also recently experienced an attack, but has remained cagey with the details. A joint statement from the Department of Homeland Security and the FBI confirmed that unidentified hackers had targeted companies responsible for a number of operating nuclear plants throughout June–August 2017. Only one target – Wolf Creek Nuclear Operating Corporation, Kansas – has been confirmed, while the outcome of the attack and motives of the attackers remain unconfirmed.

What little information has been made public suggests that the breach was an unsophisticated phishing scheme – targeting plant personnel to open emails loaded with ransomware and Trojan horses. However, despite the lack of immediate damage, the USA nuclear hacks may be cause for concern. The joint statement posits the hackers were principally interested in mapping the computer network in anticipation of future attempts. 

In the UK, Motherboard acquired a leaked warning from the National Cybersecurity Centre (NCSC), a subsidiary of GCHQ, regarding hacking attempts on the UK energy sector, stating that some organisations are expected to be undermined. The warning reads, ‘The NCSC believes that due to the use of widespread targeting by the attacker, a number of Industrial Control System engineering and service organisations are likely to have been compromised.’ The wave of activity is believed to have begun around 8 June and also reached other sectors with a focus on engineering, industrial control and water. 

The former head of the National Grid, Steve Holliday, also recently told the Guardian, ‘The UK stands out uniquely on cyber threats. Nowhere else is as worried as the UK – we are just off the scale on our energy system concerns on cyber.’ Holliday points to the proliferation of decentralised power – solar panels on homes and small, flexible gas power plants – and the growing number of web-connected devices in energy technology. This mirrors comments made in the October 2015 Chatham House report, Cyber Security at Civil Nuclear Facilities: Understanding the Risks, highlighting the myth of ‘air gapped’ nuclear facilities – isolated from the public internet – among facility operators, and warns that a lack of training and trust between engineers and security personnel ‘means that nuclear plant personnel often lack an understanding of key cyber security procedures’.

foothill94022

A World Energy Council report states there is a ‘massive increase’ in the number of successful cyber attacks against energy firms. Christoph Frei, the council's Secretary General, said, ‘Cyber threats are among [the] top issues keeping energy leaders awake at night. Over the past three years, we have seen a rapid change from zero awareness to headline presence. As a result, more than 30 countries have put in place ambitious cyber threats as a persistent risk to their economy.

‘What makes cyber threats so dangerous is that they can go unnoticed until the real damage is clear, from stolen data over power outages to destruction of physical assets and great financial loss. Over the coming years we expect cyber risks to increase further and change the way we think about integrated infrastructure and supply chain management.’ 

Much of the danger comes from the varying angles and sophistication of cyber attacks – tactics to prevent ransomware and malware email attachments differ greatly to blockading the high-profile spread of the global WannaCry and Petya attacks that struck the servers of Rosneft, shipping and transport firm Maersk and the NHS among others. Regardless, there are a number of measures companies can take to mitigate risk.

Recognise both critical assets and the flaws in your system. Conducting a comprehensive risk assessment should reveal where the greatest vulnerabilities lie, and help document security policy and risk mitigation.

Determine the risk factors. The Internet of Things may help integrate automation and efficiency, but it also adds pressure to the points of access and potential weakness. Ensure your staff are educated on the veracity of emails and attachments, and safe use of external hard drives.

Admitting current weaknesses may seem an obvious observation, but 47% of respondents to the EY Global Information Security Survey report admitted they cannot detect a sophisticated cyber attack. Vulnerability intelligence programs may help identify existing system flaws.

Full spectrum response

With the perpetrators of cyber attacks often operating without detection or identification, mounting an adequate response can be difficult.

The UK Department for Digital, Culture, Media and Sport has launched a consultation to decide how to implement the Network and Information Systems (NIS) Directive, including proposed ‘last resort’ fines of as much as £17m or 4% global turnover against energy companies among others that fail to adequately prepare against cyber attacks. The NIS Directive will form part of the UK Government’s five-year £19bln National Cyber Security Strategy. 

UK Defence Secretary Sir Michael Fallon has also posited that the UK could retaliate against future attacks with ‘full spectrum capabilities […] the price of an online attack could invite a response from any domain – air, land, sea or cyberspace’, suggesting military force could be used against what it deems to be state-sponsored cyber attacks targeting infrastructure.

In the USA, senator Edward Markey has called for the release of information regarding the scale of the attacks and to demonstrate sufficient security measures are in place. ‘There is no guarantee that malicious code could not migrate to physical control systems through the errant or unauthorised use of removable storage devices.

‘Furthermore, administrative and business networks could contain information relevant to the safety and security of nuclear plants, as well as personal information about the plant personnel. Malicious actors could use sensitive data to undermine plant security.’

The US Department of Homeland Security has called cyber attacks on critical infrastructure ‘one of the most serious national security challenges we must confront’ and aims to strengthen its cyber security defences of federal networks, following the signing of an executive order by President Donald Trump. The order, signed on 11 May, will hold agency heads accountable for information leaks, increase education and training in cyber security and adopt the Framework for Improving Critical Infrastructure Cybersecurity.

The order also calls for the modernisation of the US Government’s IT infrastructure, although parties are divided on the likelihood that the substantial budget required will be met. Former director for national intelligence, James Clapper, said in a Senate committee hearing, ‘The Trump Administration understands preparing a new executive order and strengthening the cyber security of federal networks and critical infrastructure, emphasises accountability, managing government IT architectures. Although what I expect is that the accompanying authorities and resources will not match these bold goals.’ 

The heavy-handed nature of these responses may seem inflexible compared with the swiftness and efficiency of recent cyber attacks, but it is at least a declaration that cyber security has reached the forefront of importance. With heightened commitment to the Internet of Things and Industry 4.0, this could not come too soon.