Perils of Power II

II. Cybersecurity: Attacks, Disruptions, Threats, Vulnerabilities, and Precedents within Energy Infrastructure

In accordance with cyberspace, cybersecurity’s relatively nascent status as a field renders it riddled with multifarious definitions. In observing the NIST library of definitions set forth, an interesting pattern ensues. Initially, many of the definitions offered describe the effort to preclude damage to actual physical computer systems. The current NIST-endorsed definition implies that, over decades, more and more facets have been included:

“Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”

The verbose definition of what cybersecurity has come to define includes three key words which are essential and, throughout the author’s time at the New York University School of Professional Studies’ Center for Global Affairs, was given the moniker of the most “important triad” of terms within the study of cyber: confidentiality, integrity and availability. 

To ensure harmonious continuity of operations, companies must ensure that they master the significance of the “CIA”. Cybersecurity professionals now espouse the triad as being a guiding principle in securing their systems. Confidentiality represents the efforts to ensure, as the term suggests, that sensitive data not privy to the public remains that way. Integrity embraces the accuracy and trustworthiness of the data through means of certification and verification. Availability simply refers to the functionality of the system and its applications to readily serve those who demand it.

The willingness to hold the CIA triad dear is notable in light of the many forms cyber-affronts can take. The term cyber-affront has deliberately been selected thus far in lieu of the Hollywood-trigger-happy term “cyber attack”. Mass media’s distortion of cyber incidents often invoke images of hooded figures lurking in furtive corners of a basement frantically hammering away at a keyboard launching said “cyber attack”. 

In truth, the vast majority of cybersecurity related incidents – including the ones that are likely most common a threat for energy infrastructure – fall into other categories that actual cybersecurity professionals have come to adopt and recognize. The Council of Europe Convention on Cybercrime defines a cyber-attack as an operation, offensive or defensive, that leads to the severe destruction of infrastructure and injury or damage to persons. Under this criterion, immediately most of the watershed cybersecurity incidents in the annals of history, like Stuxnet and more relevantly the Colonial Pipeline breach, do not qualify as a cyber attack. 

Rather, they fall under some of the other subsets set forth by the Council. More fittingly, they can be regarded as a cyber-disruption; which signifies the act of “hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.” Or, alternatively, an offensive move from adversaries wishing to disrupt energy operations via a ransomware payload can be construed as a cyber-crime: fraudulent or dishonest procurement of a computer device or its capabilities for the purpose of economic benefit. Energy infrastructure’s various components, at the platform, operational and informational levels are so multifaceted such that it is a buffet for a cyber adversary. 

This is exacerbated by the fact that energy infrastructure in the U.S. is riddled with vulnerabilities. Vulnerabilities within the context of cyber refer to a weakness in an information system or its procedures that could be triggered or “exploited” by a nefarious adversary. Much to the chagrin of energy infrastructure operators, countless vulnerabilities are “zero-days”: weaknesses within a system that are completely unbeknownst to the developers who created it; quite literally the crisis mitigation team have zero days to anticipate the vulnerability. As conveyed by McKinsey & Company, Figure 5 describes great quantities of potential threats to energy companies across their value chain. Each one of these facets poses unique challenges in defying malignant adversaries.

As for the tools themselves, a sinister arsenal of malware types exist. Malware – a portmanteau of malicious software – is, commensurate with how multifarous vulnerabilities are, also concerningly polymorphous. Malware can infect a network and or segment of infrastructure operations in many different forms: most members of the general public will be familiar with the conventional virus, perhaps delivered through the form of an illegitimate, suspicious email link – much like its medical namesake, a virus replicates itself from one application to the others with frightening pace.

But other forms of malware, including but not limited to spyware; the implementation of a surveillance program for adversaries to monitor a business’s activities, a wiper; which obliterates all data on a device, and remote access backdoor tools; which allow the propagator to control the victim’s device from distance, are all flavors of the day for many cyber disruptors.

 More sophisticated types of disruptions include a pervasive form of malware so pervasive that the mere utterance has grown to strike fear in CEOs and mom-and-pop shops alike: Ransomware. As defined by CISA, Ransomware is a “form of malware designed to encrypt files…rendering [them] unusable. Malicious actors then demand ransom in exchange for decryption”. 

Ransomware’s effervescence as a malignant tool is all the more concerning for the energy sector. S&P Global Commodity Insights reports that 2021 was a record year for incidents targeting energy and oil. Why are these actors going after energy infrastructure, what happens when a ransomware disruption is to avail, and most importantly, why are the malignant actors successful? The proximate section recalls a linchpin moment that forever redefined how the public and private sectors alike react to a cyber disruption.

Part III Coming Soon…