In May of 2021, the largest publicly disclosed cyberattack against critical infrastructure happened. In two hours, 100 gigabytes of data were stolen from the Colonial Pipeline IT system. Following that, the attackers infected the Pipeline’s systems with ransomware. The Pipeline had to shut down for five days to contain the attack.

Once $4.4M was paid to the attackers, the Pipeline regained control of their systems. Add to that the cost of shutting down the Pipeline for five days, the investigation costs, the involvement of government agencies like the DOE, and the damage done to the Pipeline’s reputation and public trust, it was a costly lesson—a lesson caused by an exposed password for a VPN account.

The Colonial Pipeline breach is the poster child for Zero Trust. They didn’t steal oil or shut down a grid, they stole data. What happened there could happen to any energy provider and any government agency. And all it took was a password.

What does Zero Trust mean?

The Department of Energy (DOE) has a pressing responsibility to ensure the continued security of our nation’s critical electric infrastructure. Zero Trust in the department, the industry, in manufacturing and in the supply chain are key to securing critical customer and employee data and ensuring an uninterrupted, clean energy supply.

Traditional approaches to security automatically trusted users and endpoints within the organization’s perimeter. If you were able to get past the perimeter, you had access to the entire system, depending on your credentials. Once someone’s credentials are compromised, unauthorized actors can feast on your data.

In contrast, Zero Trust architecture requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. One-time validation is no longer effective, because threats and user attributes are all subject to change. With Zero Trust, users and devices have to revalidate their credentials over and over again the further and further they get into data. The government is on course to achieve full Zero Trust status by 2027, but you can get there before then if you have a strategy in place.

Why Zero Trust is such a critical strategy for the energy industry.

The same year as the Colonial Pipeline incident, a hacker tried to poison the San Francisco water supply. They got in through exposed credentials, too. Customer data is one thing. But to expose customers to unclean water—or an electricity outage—is not only inconvenient, but it could also be the difference between life and death. Considering 2022 set the record for the number of attacks on the energy industry, it’s imperative that the industry be more vigilant, more responsive and more proactive than ever.

The answer to the issue is complicated. The energy sector can’t just detach from the internet of things. Work-from-anywhere employees need access to the system. Contractors need access. Branch offices need access. All of that expands the attack surface and adds attack vectors to the mix. Compounding that, energy companies generally have legacy systems that could be vulnerable. And they are so attractive to attack because they can cause so much destruction, financial loss and public unrest.

Traditional perimeter-based cybersecurity tools are no longer adequate to protect the energy industry from a constantly evolving threat landscape. Rather than trying to build security around the distributed network, the network itself must provide security. Traffic entering the network must be secured and validated from start to finish and security and the network must operate as one fully integrated system. Zero Trust answers that threat perfectly, making users re-authorize themselves the deeper they go into data.

When Zero Trust doesn’t work.

Zero Trust is not a magic bullet that combats all cyber threats. For one thing, it doesn’t provide protection against every kind of attack. Then complexity and cost of implementation add barriers, as well as challenges in integrating with legacy systems.

Adopting additional security measures such as advanced threat detection, security information and event management (SIEM), and continuous monitoring of the network infrastructure is key. It’s also important to keep the workforce informed the potential threats and ensure they are following best practices, such as strong password policies and multi-factor authentication. A proactive approach can help companies stay ahead of evolving cyber threats.

Assume you will be attacked. Have a plan in place to thwart it.

The energy sector in particular is embracing Zero Trust technology. The industry is a critical infrastructure sector that is especially vulnerable to cyber-attacks, and as a result, has become a top target for cybercriminals. Implementing Zero Trust strategies is essential to avoiding many of the threats the industry faces.

As part of the energy industry supply chain and offering secured communications devices, CIS Secure is constantly looking for ways to improve the security of our solutions. We are meticulous about our own supply chain, too, sourcing secure components and devices. We use Zero Trust architecture in our own networks and build a Zero Trust capability into our devices. To learn more about Zero Trust and our cybersecurity and communications solutions, contact us today.