Research finds 87% of utility and energy companies experienced OT network cybersecurity breaches in the last 36 months

Poor password practices, misconfigurations, and an overreliance on meeting compliance requirements increase OT security risk

Skybox Systems Director of Systems Engineering Terry Olaes has more than 20 years of experience in IT. His expertise includes IT/OT convergence, audit and compliance, data breaches, and incident management. Working on the ground floor at a manufacturing plant, serving as a systems engineer, and managing large security teams have given Terry a unique perspective on fortifying IT/OT security posture.

With cyberattacks on critical infrastructure and supply chains on the rise, we asked Terry to discuss his perspective on a new Skybox Security research study highlighting imperatives for Operational Technology [OT] security. The study found that 71% of utility organizations are highly confident that they will not experience a breach next year. Yet, 87% of utility companies have experienced at least one breach over the past thirty-six months. It sounds like a strange contradiction, right? However, Terry explains why he’s not surprised by this finding and what energy and utility companies need to do to ensure the security of their “OT crown jewels.”

Although 87% of utility companies have experienced at least one breach over the past thirty-six months, 71% of utility companies believe they’re safe. Isn’t that an odd contradiction? 

Terry Olaes: I’m not surprised by this finding for these two reasons:

Because of a breach, organizations will correct compensating controls to ensure that the violation doesn’t happen. Compensating controls could be user education, security tools, enhanced processes, or an audit regiment. In addition, the lessons learned from the breach often help leadership teams to neutralize the threats confidently.

Additionally, as a leader of an organization, you must believe that you have the tools and people to prevent a breach. By nature, the question will cause great reflection. If I were asked whether my organization might have a breach in the next year and I answered “yes,” I would have to answer to “What am I doing to prevent a breach in the next year?”

Utilities are highly regulated and have significant compliance requirements. However, being compliant doesn’t equate to being secure. Were you surprised that ‘maintaining compliance with regulations and requirements was the survey respondents’ most common top concern? 

TA: It’s easy to preach that compliance/regulation does not equal security. Still, the simple fact is that most leaders have nothing else to measure their security preparedness. We’ve all heard about the shortage of talent in the cybersecurity industry. Without solid, knowledgeable personnel, leadership must lean on compliance to help protect against OT breaches. This gap between strategic leaders and tactical personnel quickly leads to a disconnect between what’s happening in the field and what leadership believes is the state of information security. Add to this dilemma, the processes and controls for security inhibit the business’s ability to operate, especially in OT/ICS environments. Very much like we see with “Shadow IT” scenarios in the enterprise environment, OT/ICS environments will do whatever it takes to keep the business running.

 

One of the top two concerns of utility organizations in this survey was that ‘misconfigurations will open their network to bad actors.’ So how have misconfigurations impacted OT security in the oil and gas and utility industries? 

TA: Misconfigurations generally cause unintended access to the Industrial Control System [ICS]/OT environments. Especially in oil and gas, most remote sites have a “cookie-cutter” configuration/setup. This configuration is not limited to just the IT/OT systems in remote locations. The pads, pump stations, housing areas, etc., are all set up similarly. So, when there is a misconfiguration, it means that the same “misconfiguration” is in place across the entire organization: routers, firewalls, wireless access points, HMIs, etc. Most of the time, this will include using the same passwords.

Unfortunately, a remote user can access other systems using the same password once a password is known. Most remote sites have wireless technology to keep the data online (satellite, cell service, municipal wireless, etc.), often requiring instrumentation and customer needs. As you can imagine, there is a severe risk associated with a lack of controls and security best practices that is generally accepted and well known in the industry. To this day, I speak with customers who still use remote access software with a shared password, not connected to a central authentication system. Unfortunately, this approach to managing passwords is the status quo in ICS/OT environments. Therefore, the password problem continues to plague security in these environments.

Can you give me a couple of scenarios where Skybox can help a utility company reimagine its OT security? 

TA: The most significant advantage that Skybox brings to the table is visibility. Because Skybox is not inline, not agent-based, not actively crawling the network, we can show organizations the risk associated with lack of compensating controls. Quite often, it’s literally “showing” them with a “network model.” Step by step, customers can see how network traffic traverses through environments, graphically highlighting the functional devices that are allowing the access, thus lacking compensating controls.

A network model provides a visualization of all network elements across an organization’s various environments combined with an understanding of all the rules and configurations. With network modeling, you can run security assessments and simulations against all the devices, vulnerabilities, and configurations within the security environment. Security, IT, and OT teams can gain the context needed to implement automation across a wide range of operational security processes. Network modeling will take on an increasingly critical role for organizations, especially those in the utility sector, providing insights and visibility to perform accurate exposure analysis to detect your most dangerous vulnerabilities. Network modeling keeps you one step ahead of hackers and stops breaches before they happen.