Although these types of attacks on energy installations have become more common, the problem is still in its infancy, according to IT security experts.
“We’re really at the beginnings of this, it’s not mainstream,” David Emm, senior security researcher at Kaspersky Lab, tells AMEinfo. “The individual attacks on the likes of you and me continue to be mainstream. But we’re beginning to see more of this targeting going on. And Stuxnet, which is right on the cutting edge of this, did demonstrate that it’s certainly possible to focus on one target and go after that.”
Emm reports that over the last 18 months the number of targeted attacks seen worldwide has increased greatly and that any business could be a potential target.
The severity of this problem for the energy sector and the general public cannot be underestimated. “If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens,” Ludolf Luehmann, IT manager at Shell recently told the World Petroleum Congress.
“It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage – huge, huge damage,” he added.
Critical infrastructure businesses insulate themselves
Businesses in critical sectors such as the energy industry are rarely connected to the internet in the same way as others, in order to insulate them from potential attacks. However, this can cause problems in itself.
“One of things about businesses which are so critical is they tend to be designed so that they’re not necessarily connected in the way ordinary businesses are to the internet because there’s a recognition that they need to be buffered from the rest of the internet. In one sense that’s a plus because clearly if they are insulated effectively then it’s harder to reach them with a run of the mill attack,” says Emm.
“The downside is that closed systems like that tend to be less well protected in the sense that they are not patched. They don’t get patched routinely because they’re not connected to the internet. Because they’re critical systems there’s a natural reluctance or hesitation to interfere with the normal business process for fear that introducing an update maybe would cause a problem. And what that means is that if you do have a determined attacker and they do get a foothold into that organisation, so a threat can actually spread quicker through it because they are closed and less secure in the sense of being patched and so on,” he adds.
Risk analysis is key
When it comes to protecting against IT threats, the stages a company must go through are similar to any major risk. It starts with risk assessment and working out where the weak points are in the company’s security. From there the firm must plug the gaps as best they can and devise a plan to deal with attacks should they get through. Some attacks are almost impossible to stop.
“A lot of the attacks we’ve seen in the past year have used USB as a way of getting into an organisation. And clearly however closed that system is, if there are people coming in and out of that system there is a potential for them to bring with them on a USB key a programme to launch it that way and that’s how it gets a foothold,” says Emm.
Potential damage is alarming
The closed nature of these facilities mean any hackers have to be more sophisticated in order to break into them, but once they are in the amount of damage they can do is significant. “I think if I’m a would-be attacker and I wanted to go after a closed system then I’d have to be more determined to do it. I’m going to have to find a way to deliberately try and penetrate that business. It requires a greater level of intelligence because you have to spend time before the attack knowing how that business functions, but there are people who are prepared to do it,” says Emm.
Energy firms are well aware of the potential attacks which are out there, but that unfortunately can only help them so much. A determined hacker can make it through almost any defence, meaning those in the industry must be constantly on alert to that. The severity of this problem, should not be underestimated. “The stakes are much higher, if I lose £200 from my bank account then that’s bad news for me, but it’s limited to me. If somebody is able to penetrate a critical piece of the national infrastructure then that affects all of us,” concludes Emm.