The following is a Viewpoint by Galina Datskovsky, CEO of secure messaging company Vaporstream.
In October 2017, the cybersecurity firm FireEye issued an alarming report accusing North Korean state-sponsored-hackers of targeting the control systems of U.S. electric power companies. While both the purpose and timing of each attempted breach is unclear, FireEye has proven that the nation-state threat actors exploited email as the attack vector, constructing a sophisticated spear-phishing campaign to lure power company employees into downloading attachments comprised of malware.
The cyber threats to critical infrastructure, including energy and utility companies, date back more than 25 years. But the threat frequency and sophistication has increased exponentially of late. In fact, in November, the FBI and Department of Homeland Security (DHS) issued a joint warning to nuclear, energy, aviation, water and critical manufacturing industries that “hackers had succeeded in compromising some targeted networks.” The attack vector of choice as identified by DHS and FBI — you guessed it — email phishing.
Today, 90 percent of all cyberattacks worldwide begin with email phishing, despite companies investing millions on phishing awareness and training tools for employees. Many consider the phishing risks to energy and utilities a primary national security concern, as each industry admits to a digitally amateur workforce — either unaccustomed to or untrained for the cyber-physical demands of the Industrial Internet of Things (IIoT) and the connected plant. Not to mention, the great information technology (IT) - operational technology (OT) divide between facility and enterprise still spawns vast vulnerabilities, despite attempts at convergence in recent years.
The cyber risks & organizational responses
In the North Korea example, it’s more likely than not that the nation-state threat actors were conducting reconnaissance as a means to map out an attack capable of taking mission-critical equipment or systems offline. Reuters estimates that an attack on the U.S. power grid could cost the economy $1 trillion; not to mention any human despondency or safety concerns derived from unavailable services. In a time of heightened tensions between the U.S. and the Peninsula, such a successful attack may be all but inevitable.
In an attempt to help power companies and utilities mitigate risk, the North American Electric Reliability Corporation (NERC), the Federal Energy Regulatory Commission (FERC) and DHS have all issued (and regularly update) guidelines and regulations — some enforceable by severe financial penalty and some not — on everything from attack reporting and incident response to Bring-Your-Own-Device (BYOD) policy and intelligence sharing.
In response, many energy and utilities companies earmark a good amount of their cybersecurity budgets to physical security improvements, workforce training and network monitoring, and anomaly detection specific to industrial control systems. The research firm Zpryme estimates that U.S. utilities will spend $7.25 billion on grid cybersecurity by 2020.
Yet out of the persistent fear of email phishing attacks and to expedite time-sensitive communications, many workers have begun to reduce their reliance on email altogether, instead choosing to utilize SMS texting for its ease-of-use and simplicity. In fact, 80 percent of workers report using SMS texts as part of doing business, even if text messaging is not a sanctioned form of communication in the workplace, according to Seyfarth Shaw LLP.
While the commitment to cybersecurity should be applauded, there’s just one problem: none of the most common safeguards adopted by power and utility companies do anything to mitigate the phishing epidemic. Even SMS texts are vulnerable to ‘smishing’ (SMS phishing) attacks. Fortunately, there are a number of early-adopter power and utility companies emerging as potential trendsetters by implementing what some might consider a unique fix to a complicated problem — the adoption of secure messaging platforms.
Secure messaging’s role in maintaining the integrity of critical infrastructure
For highly regulated industries in which safety, reliability and integrity of physical and digital assets are of the utmost importance, secure messaging provides a unique, yet proven solution to mitigate risk by taking communications outside of where they are most vulnerable — email and SMS text. With a secure messaging solution, only approved senders that have been granted access to an organization’s platform can send messages, thereby eliminating the threat of outside senders entirely. Secure messaging also prevents man-in-the-middle attacks, which can occur when unencrypted SMS texts are sent on an open network.
What’s also exclusive about secure messaging for power and utility companies is that the sender maintains complete control of the conversation, the data and its use at all times, preventing unintentional sharing, data theft and propagation of information. Further, unlike native SMS texting or email, secure messaging ensures all messages are captured and archived to the organization’s repository of record for compliance purposes and processes, while removing texts from sender and recipient devices. And in those moments of incident response, secure messaging allows for rapid notifications, response and recovery communications to meet corporate operating procedures, without worry of third party surveillance or leaks.
Cyber threats will continue to compromise the confidentiality, availability, integrity and personnel safety of power and utility organizations for a long time to come. Likewise, phishing will remain the most exploited attack vector simply because of its impressive rate of success. Secure messaging provides an opportunity to make significant risk reductions by eliminating the vulnerabilities inherent to email and SMS texting; helping to maintain compliance and expediting and organizing incident response communications.
If there’s one thing we know about the majority of employees, it’s that they like to text. Doing it within a secure, risk-reducing environment is an added plus.