The energy industry is at severe risk of cyber attackers from private and state-backed groups due to the increased interconnectivity of energy systems throughout the world. This is the conclusion of Finnish cybersecurity firm F-Secure’s report ‘The State of the Station’.

The report argues that ‘malicious actors’ are targeting critical national infrastructure (CNI) sites as CNI systems were put in place before the advent of 24/7 internet connections and the Stuxnet worm. It also states that when CNI systems were designed cybersecurity was not a threat so they do not have the security controls that are the norm today. As such, the report argues that ‘transitioning these systems to the internet has opened them up to attacks from a myriad of angles.’

F-Secure outlined nine distinct attackers, malware and techniques targeting the energy industry. This includes hacker group APT33, which F Secure believes has been supported by the Iranian government. It attacked Italian oil and gas company Salipern in December 2018 by using a version of the Shamoon disk wiper to erase data from company computers.

Other groups include the Russian backed Dragonfly and Dragonfly 2.0, which have targeted the energy and nuclear industries, and Operation Sharpshooter, which disguises itself as a job recruiter to conduct cyber reconnaissance.

The report concluded that energy companies should accept that cyber attacks are unavoidable but that companies should be familiar with incident response plans and procedures and use the three C’s of continuous response; collaboration, context and control. It also stated that companies should invest in technologies such as endpoint detection and response (EDR) for better protection.

F-Secure labs threat researcher Sami Ruohonen said: “EDR is a quick way to tremendously increase capabilities to detect and respond to advanced threats and targeted attacks which might bypass traditional endpoint solutions.

“Managed EDR solutions can provide monitoring, alerting, and response to cover the needs 24/7. This means organisations’ IT teams can operate during business hours to review the detections while a specialised cybersecurity team takes care of the rest.”

Ruohonen concluded: “Espionage and sabotage attacks against CNI organisations have increased over the years and I don’t think we have seen it all yet.”