13 September 2017

IBM Security Report on Cyber Security Risks in the Energy and Utilities Sector

IBM X-Force has published a report on cyber security risks in the energy and utilities sector. According to the report, in the first half of 2017 the number of attacks targeting industrial control systems continued to rise. Notably, based on 2016 data, while 60% of attacks were carried out by outsiders, more than half of internal threats were associated with inadvertent actions of employees.

According to the report, injections of different types represent the most popular attack vector. These include SQL injections and operating system command injections. Attackers also collect information to identify weaknesses in the target organization’s IT infrastructure and better prepare to carry out targeted attacks. Threat actors use existing flaws in authentication and identification mechanisms, as well as vulnerabilities in the target’s client-server communication channel, to gain access to critical systems.

The report recommends the following measures to be taken by companies in the energy and utilities sector to protect their industrial control systems:

  • raise employee awareness and provide regular training to reduce the number of inadvertent threat actors inside their organizations;
  • use role-based access and apply the least privilege principle in assigning rights of access to critical resources;
  • use identity and access management to identify suspicious actions; when employees change job titles within the organization, revoke their access rights accordingly and terminate all their access rights if they leave the company;
  • develop a comprehensive incident response plan and form a well-trained incident response team;
  • implement network perimeter protection, controlling critical components and information exchanges with third-party corporate systems, such as ERP;
  • regularly carry out ICS vulnerability analyses and penetration testing, and implement timely patch management, patching any vulnerabilities identified.