[co-authors: Evan Roberts]
With cyber attacks on the rise, energy companies should plan now for the nightmare scenario.
The global energy sector is more interconnected, automated and digitized than ever before. But despite these technological advances, most energy companies are still largely unprepared to defend against cyber attacks — a vulnerability that grows more dangerous every day.
The frequency and severity of cyber attacks have increased substantially since the onset of the COVID-19 pandemic thanks largely to an increased dependence on digital networks. In just the past 12 months, 78 percent of G20 companies have been negatively affected by a cyber attack, according to the FTI Consulting 2021 Resilience Barometer®.
The energy industry — despite its critical importance to infrastructure and commerce around the world — is still vulnerable to such attacks. A stronger focus on preparedness will allow the sector to bolster its defenses in this all-important area.
Fortunately, remedying that situation and properly preparing the energy sector for cyber risks are not as complicated as it may seem. To get started, energy companies first need to develop a cybersecurity incident response plan (IRP). Properly designed and implemented, a good IRP can spell the difference between disaster and adequately responding to — and recovering from — cyber attacks.
Knowing the risks
Before setting out to establish your IRP, it’s important to understand the risks you’re trying to defend against. Because the energy sector plays a central role in global critical infrastructure, and because of its high-risk operations, the fallout from cybersecurity incidents can be widespread and public, meaning a response plan must take into account a broad spectrum of stakeholders.
For example, cybersecurity incidents present unique communications challenges for energy companies, especially in the event of a major operational disruption or loss of personal customer or employee data. To mitigate reputation risk and ensure a swift and seamless company-wide response, it’s critical to build and integrate a communications plan into the broader IRP before an incident occurs.
Energy companies also make tempting targets for ransomware attacks due to their vulnerability and the public’s dependence on them. In a ransomware attack, cyber criminals forcefully encrypt an organization’s entire network or hijack sensitive information such as client data and refuse to release it until the victim has paid a ransom. If the targeted company has not encrypted and verified its backups and maintained them securely offline — basic cybersecurity procedures — it may be forced to pay the ransom or initiate a rebuild of its entire network.
Other dangers stemming from ransomware attacks, which have become more prevalent in the industry, include damage to the victim company’s reputation and regulatory consequences. Data protection implications such as class action lawsuits for leaking personally identifiable information (PII) are also possible.
Crafting the right plan
While an IRP may not prevent a cyber attack from taking place, it can seriously reduce damage. When a breach goes undetected, a greater range of assets is more easily compromised, and the longer attacks go undetected or unabated, the more damaging they become. Plus, not knowing how to respond in the heat of the moment impedes a company’s ability to keep its business moving, compounding the impact of the attack with further service disruptions.
In short, failing to secure vulnerabilities ahead of time grants cyber actors easy, unauthorized access and puts the organization and its customers at risk. Implementing an IRP now is essential for any energy company that hasn’t yet done so.
A well-thought-out IRP is the cornerstone of a strong cybersecurity program. It should involve a “whole of organization” approach to cyber incidents, meaning it includes personnel from across the organization. Consider including at least one decision maker from each of the following functions:
- Information technology
- Human resources
- Executive management
At a minimum, the IRP should include three phases:
1. Preparation: This includes establishing exactly who will be on the incident response team, training them to know how to react during a cybersecurity incident, and determining which tools and resources are needed to assist with the response. This phase should also include compiling contact information for relevant personnel (e.g., attorneys, key stakeholders, law enforcement) so that the team is not scrambling to find these details in the heat of the moment.
2. Detection & analysis: Early identification, detection and analysis are critical in minimizing the damages and reach of a cyber attack. Doing so requires leveraging resources and tools designed to measure the scope, impact and level of response. This phase helps identify the root cause and allows for proper preservation of forensic artifacts to assist with potential investigations.
3. Containment, eradication & recovery: This involves preventing data from leaving the network, removing unauthorized users and malicious code, and closing vulnerabilities that could have been leveraged for access. The recovery process comes next, involving post-incident analysis to determine what implementations are required to prevent a similar cyber attack.
Perhaps most important, the IRP should be reviewed, updated and practiced during an annual tabletop exercise. This accounts for new threats and internal turnover while also keeping the information fresh in the minds of the IRP team.
As noted earlier, aligning and integrating a communications IRP into the broader IRP is also essential. In particular, communications IRPs should be adaptable to the specific kind of attack the company is experiencing, particularly given the increasing variety of cyber threats targeting the energy sector. A communications IRP typically includes three core components:
1. Best practices for communicating during a cyber incident, such as keeping outside counsel across all work products so that they are aware of the implications of a cybersecurity incident and how they can help.
2. In-depth scenario planning to account for escalating factors in cyber incidents. Examples include a cyber actor’s demanding more funds or threatening to release information, and the stakeholder communications that may be required, e.g., a proactive message to customers about impacted data.
3. Decision-making protocols for communications teams around key tasks like document approvals and rules for media engagement to help quickly determine how and when statements about the incident should be issued.
As owners and operators of critical infrastructure, the energy industry must act to prevent and respond to cybersecurity incidents. And given the scale, scope and urgency of the threat, there is little question action should be taken as soon as possible. While there may not yet be a bullet-proof defense against cyber actors, having a plan in place can spell the difference between a minor inconvenience and a catastrophic event.