In today’s digital landscape, data is a company’s most valuable asset, and energy companies, particularly electric-power and oil and gas, remain at risk of hacking attempts due to their major social and economic importance. Here, David Greenwood, CEO at the leading IT managed service provider (MSP) ISN Solutions, advises on three key zero trust principles to ensure IT systems are protected, and how these principles can mitigate risk to company operations and sensitive and critical data.
Over the course of the pandemic, businesses of all genres and sizes within the oil and gas sector have faced increased risk of a network breach. Reported cases from UK businesses as a whole rose by 20% in 2020, while Hiscox’s Cyber Readiness Report (October 2020) revealed that the energy sector bore the highest burden for financial losses as the result of a breach. This, coupled with the continuation of wide-spread remote working, has accelerated change in IT infrastructure design, including increased implementation of zero trust security models.
Never trust, always verify
The underlying ethos to zero trust security models is the assumption that any attempt to access the company network is a potential breach. In comparison, outdated ‘trust but verify’ security models assume that the user should be granted access, but ask for verification (usually single factor authentication such as a username and password) ‘just in case’.
‘Trust but verify’ security models pose potentially costly risks, as threats like banking Trojans can capture login credentials, even if data is hosted in the cloud, and are no longer a valid defence against modern cyber threats.
The zero trust security model takes verification multiple steps further. The model incorporates stringent security protocols, with multi factor authentication as a minimum, as well as inspecting and logging all traffic. Access requests originating on a local area network (LAN) are treated with the same level of suspicion as if they had come from a wide area network (WAN) which in IT security terms is analogous to the Wild West. This is because the need to defend against threats from inside companies is being increasingly recognised. Hackers meanwhile are turning to bribery to access systems and disrupt operations and, even as long ago as 2012, in the case of oil and gas company EnerVest a disgruntled employee was able to sabotage company systems which resulted in extensive disruption to business operations for well over a month. In today’s ever more aggressive cyber environment the threats are even greater.
Security models that analyse additional factors beyond user credentials, such as the user’s location, device and access habits, and are able to spot anomalies, can more reliably ascertain whether the user is who they claim to be or whether there is a breach. This enables quicker response to potential threats, and the quicker a response to a breach, the easier it is to limit the damage. This can also help companies to react to insider threats, if the model is designed to flag unusual user activity or login times.
Additionally, in zero trust security models, user access to data is controlled by what is termed as just-in-time (JIT) and just-enough-access (JEA) principles. These ensure that employees can access the data they need to stay productive, but other revenues of data and areas of the network are restricted to limit the scope of damage from a successful hacking attempt or malware or ransomware infection, thus preventing infection spreading across the rest of the entire network and all devices.
Integrate zero trust principles as company philosophy
The principle of ‘never trust, always verify’ shouldn’t just be applied to IT systems design, but should be fully integrated into company culture. Some scams and attempts at data theft, such as business email compromise (BEC) scams or malware posing as systems or browser updates, rely on social engineering tactics rather than forcing entry to the company network. These can be particularly difficult to defend against as these scams are triggered simply by human error.
As theft of information is one of the primary motives for attacks against energy companies, BEC represents a potentially serious threat. Hackers may try to obtain company plans on mergers, acquisitions or bidding strategies to sell on to a competitor, for example.
In this scam, hackers spoof an email domain to very closely match the email address of a company’s CEO or senior management, and distribute an email asking for sensitive information to company employees. The scam relies on employees being too busy or stressed to properly examine the sender’s email address or register the request as unusual, and so the potential of these scams succeeding has grown due to the stress of the pandemic. Falling victim to a BEC attack can have wide-ranging consequences, as well as sensitive company information being passed to competitors, there is also the potential of cancellation of business deals, and loss of revenue, reputation and customers.
Ensure all resources can be accessed securely, regardless of location
The golden rule of IT security is that there should be no single point of failure, which includes ensuring that no unvetted, unsecured devices can access the network.
This is vital to the oil and gas sector in particular as it continues to undergo digital transformation and equip employees in offshore and remote locations with small, portable devices to access critical company data.
The problem with introducing these devices to company networks is that it’s often forgotten that they can create an entry point for hackers. The most obvious threat is ransomware, which has the potential to spread quickly from one infected device across an entire network. It can take weeks until companies are able to resume operations as normal after a ransomware attack, and the cost of a ransom is likely to be high, especially now as ransomware operators are deploying two-stage attacks, demanding a second ransom with the threat of publishing sensitive data online.
The potential cost of ransomware attacks today goes beyond severe financial loss, including damage to existing customer relationships and severe difficulty attracting new business, especially if it’s discovered that customer data has been published online.
While enabling multi factor authentication on VPN services and having endpoint security solutions can help to prevent ransomware operators from accessing the network, the key defence against ransomware is to be prepared. This means proper backing up of data in multiple locations, which can help companies to avoid paying a ransom and to resume business operations more quickly, and ensuring there are no unsecured end-points leaving an easy way in for hackers.
Switching to a zero trust security model often requires careful planning to ensure productivity and access to data needed for daily work is maintained. If needs be, companies can partner with an IT MSP specialising in network resilience and security to advise on, or assist with, the implementation of new security architecture and protocols.
