Cyber threats to the Energy sector are on the rise. As one of the sixteen national critical infrastructure sectors, it is vital that energy companies are able to adequately defend themselves from advance persistent attacks, industrial espionage and state sponsored attacks.
Energy companies across the board are increasingly adopting advanced deception technology to augment their preexisting cybersecurity tools to better protect their critical infrastructure and sensitive data. A defense-in-depth approach to cybersecurity through the use of deception technology reduces risk with each effective layer of protection and combines a mix of defensive and offensive measures for maximum protection against a breach. This is achieved through a mix of decoys, endpoint lures, application and data deceptions; all designed to identify and misdirect an adversary.
The Attivo Networks Deception solution provides energy companies with the tools necessary to have an active defense posture, providing early and accurate detection of in-network threats, forensics and response capabilities. Deception empowers those in the Energy sector with the ability to protect confidential company information, comply with applicable laws and maintain safe and reliable operations
$7.4 million per incident. a figure that has held steady from past years
68 % of oil and gas companies report having been breached
61 % of energy companies report having difficulty mitigating cyber risks across the oil and gas value chain
59 % of those in the energy sector believe there is a greater risk to operational technology than to IT
Efficient and reliable detection of internal and external human and automated attackers.
Accurate visibility to in-network threats, exposed attack paths, sequencing, and replay.
Scalability across an evolving attack surface including IoT/ICS and SCADA devices.
Machine-learning automates deployment and operations. Actionable alerts, automation, and native integrations empower fast response to alerts.
Faster investigation and simplified incident handling through automated attack analysis and response actions.
Many claims are made about the security of OT segments, but security is like anything else; your posture is only as good as your weakest link. In OT, that weak link is often the HMI. This Human Management Interface is a critical component in SCADA networks, a user interface that connects an operator to the controller for an industrial system. These systems are typically deployed on Windows-based workstations, which means that all vulnerabilities and tactics that can be used against Windows can be used against this necessary SCADA component.
Attivo Networks decoys can be deployed to look exactly like production HMIs, even containing deceptive data that further distracts/confuses/redirects the attacker away from the real systems. When these HMI decoys are engaged, events are immediately generated to alert the administrator, and a deceptive experience can be provided to the attacker, wasting their time and keeping them away from critical infrastructure.
It is not unheard of that changes occur on plant floors with no visibility into said changes; many have heard stories of manufacturer upgrades to OT equipment that not only changed operational components, but connected those devices/components to the Internet for active health monitoring. This type of action exposes critical components of the business and, without the proper visibility of additional components added that are “connected”, the business will be in constant danger.
The Attivo Networks solution provides visibility at Layer 2 and 3, providing security administrators a real time glimpse of devices operating in the OT networks. Events can be configured to alert administrators any time a new device comes onto the network, allowing immediate visibility and, if necessary, quick action. Admins can also utilize the time line and search/filter capabilities of the “Network Analysis” view to target specific instances.
Much like HMIs, PLCs are a foundational component of OT networks. PLCs are used for automation of industrial electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, or light fixtures. This component is ubiquitous in critical infrastructure, and for the attacker to own these components is the ultimate end game. These components are not “hacked” as most know the term; rather, they are discovered in numerous ways, and code is pushed to PLCs to control a variety of actions.
Attivo Networks can deploy deceptive PLCs throughout the OT network that respond to recon attempts (such as scans) as a real PLC would, drawing attacker attention and pulling tripwires in every corner. As an attacker “tests” and discovers PLCs to push code to, or rewrite code on, these deceptive PLCs create a high likelihood that the attacker will stumble over these, generating an alert and creating instance awareness for security teams.
There are many types of technology within OT environments. Among them is IoT in many forms: CCTV, connected cameras, BMS (Building Management Systems), IP phones, etc. It is important to be able to cover the discoverable target surface as thoroughly and authentically as possible.
Using Attivo Networks deceptions, the possibilities are virtually limitless; deceptions can be set up to look like streaming, connected cameras playing a loop of the security administrator’s choosing. IP phone deceptions can actually be connected to should an attacker target them. Of course, the slightest touch on any of these deceptions alerts the security administrators to the presence of attackers or curious insiders that could be roaming where they shouldn’t be.
While vulnerabilities in the traditional sense may not pertain specifically to PLCs (Programmable Logic Controllers), HMIs (Human Management Interfaces) and other equipment in OT (Operational Technology) networks are often running the same version of Windows that enterprise users are. The presence of firewalls, routers and switches also strengthen the need for periodic vulnerability assessments (internal or 3rdparty performed.)
Vulnerability emulation can be utilized as an overlay for existing decoys, layered on top of the deceptioncapabilities. This means the vulnerability itself does not exist; rather, it appears to exist to the assessment team/attacker. Once the vulnerability emulations are spotted by reconnaissance or opportunistic attempts, exploits are then used to try and compromise those machines; this results in an immediate event being generated and sent to administrators.
This validates not only that vulnerability emulations are helping lure attackers, but strengthens assurance that the assessment teams are taking a thorough approach and using targeted tactics during the assessment.