The nature of the energy sector and its assets, which include critical infrastructure, requires a specific cybersecurity approach. Cyberattacks can not only jeopardize the data and IT systems of energy companies, but also their operational capacity if OT systems are affected, putting at risk vital services to society, such as the electricity supply to our homes and businesses. To examine the strategies and measures these organizations implement to prevent cyberattacks, we spoke to Carlos Manchado, CISO of Naturgy.
Early in the year, the INCIBE published its report into industrial cybersecurity in 2019, highlighting how the industry and the utilities belong to a sector that is increasingly being targeted by cybercriminals. Bearing in mind these threats, and the peculiarities of the sector (critical infrastructure, the use of SCADA systems, or the industrial IoT), could you tell us in general terms the cybersecurity strategy that Naturgy has set out?_
Carlos Manchado: In terms of compliance, the utilities sector, and particularly the energy sector, are in an increasingly demanding regulatory environment, as is the case with the NIS directive, which establishes a certification scheme that we adhere to. Yet looking at the bigger picture, there is a series of measures that we try to follow, which are good practices that actually help us a lot if implemented well. The starting point is IEC 62443 (an evolution of ISA 99) and there are some strong pillars that we are deploying on the architecture we have established, keeping in mind the different lines of business and countries in which we operate.
In line with this, we consider several large areas. Firstly, network segmentation under the Purdue model. Secondly, you also have to bear in mind identity segmentation, as many cyberattacks enter at IT level and once a computer has been compromised, the attack moves and obtains identities with higher privileges. This can be very dangerous and can threaten our operational capacity. For this reason, we have to ensure, where possible, that identities at OT level don’t overlap with those at IT level.
Another important part of our strategy concerns third-party access, such as people connecting remotely. Here we go beyond a simple VPN or traditional technologies such as computer virtualization in order to isolate them. It is important to leverage other more up-to-date solutions such as remote privileged access protection.
Moreover, in a company like ours, it is vital to keep an automated inventory of assets and classify them under different criteria. Once all this has been carried out, it is necessary to detect vulnerabilities and anomalies, using techniques such as probes and port-mirroring to minimize the effect on the operation of the industrial center. This offers a far more accurate picture of what is going on and the anomalies detected, which then must be integrated into the SIEM, regardless of their type: OT, IT, or mixed, which in the end is how sophisticated attacks -such as APTs- work.
It seems as though organizations are heading towards the convergence of information technologies (IT) with operational technologies (OT). Yet recently more cybersecurity incidents have been recorded that directly or indirectly affect control systems, such as BlackEnergy, CrashOverride, Triton, and of course, WannaCry. What protection measures should the sector implement to prevent these types of incidents, whose operational consequences could be severe?
To counter such incidents, we are already working on the general measures discussed in the previous question. Though, in addition, architecture has to be well thought out, knowing which DMZ to implement, which elements to connect, with which services, apply patches, and follow good practices both in OT and IT. Finally, spreading awareness among everyone is vital, and for that reason we organize periodic training and talks.
Naturgy is also a great advocate for the concept of Industry 4.0, for example, through the digitalization and automation of gas networks and the electricity grid. What cybersecurity challenges does this present?_
CM: We use a series of disruptive technologies such as the IoT, cloud, and analytics. These are all useful tools that make our business processes much more efficient. But with them, we also have to implement cybersecurity practices and secure our projects. This is why we try to include these new technologies in all the initiatives that arise, so that we can reduce risk without slowing down operations. There is no magic wand that secures everything, but we try to study the types of risks and threats that could affect these technologies and their integration with our devices and systems.
The COVID-19 pandemic has led to many organizations promoting telecommuting. Yet it has also been observed that telecommuting increases cybersecurity risks by extending the attack surface beyond the usual perimeter, the physical space of the company. How should cybersecurity be oriented given the increase in telecommuting?_
CM: Seventy-five percent of the company’s workforce started working remotely from one day to the next, and consequently we have had to face many threats, some new and others more familiar but that have become much more virulent. We have seen for example many COVID-19-based campaigns, with websites that explain details of the vaccine, phishing, and even apps for PCs or smartphones. That’s why we had to carry out specific monitoring with an ad-hoc device.
With the workforce outside of the perimeter, we’ve had to run checks on the cloud, on shared collaboration tools, as well as review potential vulnerabilities in our platforms. But telecommuting also sees people mixing their personal and professional lives, which affects cybersecurity measures in terms of content filtering and Web browsing controls. On the other hand, through telemetry, it is clear what connectivity with non-trusted home networks means, as employees are not always aware of the risks on their local networks, and home routers are not always configured securely.
This has led us to close off our devices even more, as those outside are not within the famous perimeter which should theoretically water down attacks, though it is not a simple task and we have paid specific attention to VPN tools and analyzed in detail all services, as well as checking credentials and authentication processes.
On this point, what role has user awareness among employees had as a preventive factor?_
CM: It plays an important role, although it is not everything. It is one more layer in addition to the technical measures that we have to implement. In general terms though, the more aware employees are, the better trained and informed in cybersecurity, the better for everyone. Over the last few months, we have had to work hard due to what we mentioned before: the overlap of professional and personal aspects, an uncertainty about the situation we have been living through, and, finally, the social engineering techniques that have tried to exploit the situation.
Finally, given the large number and increasing sophistication of threats, do you believe that organizations should be preempting attacks and using more proactive strategies such as threat hunting?_
CM: It is completely necessary. It is good to have a SOC and to monitor, but there comes a time when you have to go further, because, normally, when a threat is detected, the company is already compromised and resolving the incident is more difficult and expensive.
That’s why we need a threat hunting service Such a service must have adequate detection and mitigation technologies but also it requires experts able to interact and work with them in processes like isolating files, computers and networks, and all the different response solutions provided by EDR.
Yet, on the other hand, threat hunters don’t only live off EDR and also have to work with SIEM, firewalls, and all the other technologies we have at hand to identify behavior. Overall, the less time it takes to detect a threat, the further ahead we will be and the more effective the response and mitigation is likely to be, thereby reducing the impact.
It is true that it is all very complex, but it is part of the zero-trust model that we try to apply. We set out a proactive and preventive hypothesis based on certain methodologies such as MITRE and we use technologies such as EDR. Then, keeping in mind who we are, what technologies we have, and what attackers there could be out there, those hypotheses are the ones that will help us prevent the more sophisticated and stealthy attacks, which are usually the most dangerous.