The following is a contributed article by Benny Czarny, CEO and founder of cybersecurity firm OPSWAT.
President Trump's unexpected and controversial decision to kill Qassim Suleimani, an Iranian Major General in the Islamic Revolutionary Guard Corps, was met with immediate speculation about Iran's capacity to strike back. While opinions differed on the retaliatory timeframe and targets, almost all of the talking heads agreed that America's digital assets, especially those powering critical infrastructure, are at severely heightened risk of cyberattack in this post-Suleimani world.
Iran's cyber capabilities are relatively well-known and improved steadily in the latter part of the 2010s. The Center for Strategic and International Studies explains that "years of constant engagement with Israeli and Saudi Arabia have improved Iran's cyber capabilities, and experience with covert action gives Iran the ability to conceptualize how cyberattacks fit into the larger military picture."
High risk, high reward
A big part of the Iranian cybersecurity threat is its strategic prioritization of high risk, high reward critical infrastructure targets essential to the American way of life. In fact, a new report by Wired revealed that a hacking group affiliated with Iran and its proxies has been probing American electric utilities for the past year.
While security analysts don't believe that Magnallium, the identified hacking group backed by Iran, has the ability to break down the front door of a grid's control center, it's clear that the reconnaissance needed to eventually do so is underway, and was even before Suleimani's death.
If there's perhaps one mutually agreed upon benefit to come out of the Suleimani killing, it's the heightened dialogue on critical infrastructure cybersecurity. While U.S. power companies are much more secure now then they were a decade ago, vulnerabilities continue to be identified at the same time threats continue to increase in frequency and sophistication.
That's why as we begin this next decade, the energy industry must prioritize cybersecurity training for employees at every level of their organization and embrace a holistic Zero Trust approach that emphasizes prevention strategies over reactive detection methods.
Mitigating cyber risk with training and awareness
As public and private enterprises look to new cybersecurity solutions to mitigate the risks, global cybersecurity spending is expected to grow to $133.8 billion by 2022, according to International Data Corporation. The White House's 2020 budget alone includes more than $17.4 billion for cybersecurity-related activities, a 5% increase over 2019.
However, we'll need to do more than throw money at the issue.
The problem lies in the fact the energy sector has become an increasingly attractive target — both for nation-states like Iran engaged in geopolitical campaigns as well as profit-motivated criminal syndicates. That's largely due to the fact that much of our nation's energy sector is built upon a tangle of legacy industrial control systems that were intentionally designed as closed, 'air-gapped' systems.
But perhaps the greatest vulnerability is the human element. While many energy companies are addressing remote device and network risks, basic security awareness and training often feels like it lags behind.
A shift in mindset: From detection to prevention
As we enter the next decade, executive leadership at energy organizations will need to take a hard look at their existing systems, their security practices, and most importantly, their attitudes towards how they approach cybersecurity.
And because threats can now come from anywhere, any piece of connected technology must be treated as potentially malicious. This is the essence of a "Zero Trust" prevention-first mentality — one in which trust is never implied and the legitimacy of every file, every device, and every network connection is always questioned.
All employees — be they executives, control engineers or accountants — must develop a deeper appreciation that any interaction with technology can open a door to a potential cyberattack. It's imperative that CI organizations prioritize cybersecurity training for all employees, emphasizing that every person who interacts with technology also plays an important role in protecting mission critical infrastructure.
To truly prepare for the increasing sophistication and frequency of cyberattacks targeting energy infrastructure, the burden will rest squarely on the shoulders of executive leadership to take the lead in showing that all employees, regardless of their role or responsibility, are aware that any interaction with technology has the potential to unleash the next Stuxnet, or worse.
What comes from the Suleimani killing — from both a cyber and physical perspective — remains to be seen. But Iran and its proxies aren't the only cyber threats that America's energy sector will face in the decade to come.
To mitigate risk, energy stakeholders must begin to make the mindset shift from detection to prevention, for once an attack on energy is underway, it could be too late to respond.