Cybersecurity is a top priority for critical security infrastructure including the energy and utility sectors for obvious reasons. As the operators of a key element in critical infrastructure, these organizations pose as a very appealing target for cybercriminals and nation state threats. Actually, the energy sector experiences millions of cybersecurity events on an annual basis. With increasing geopolitical tensions, there is an increased risk for cyber attacks facing critical infrastructure.

To combat these events, energy and utility businesses stand to invest in multilayered cybersecurity environments. As well as implementing tools that can aid in the detection of, and defense against cyberattacks, it is important for organizations to conduct ongoing security assessments and evaluations to get a better handle on the efficacy of their implemented efforts against known vulnerabilities.

Penetration Testing

Penetration testing can aid businesses in uncovering security vulnerabilities before attackers have the opportunity to exploit them. In a penetration test, ethical hackers make use of the same tools and techniques employed by cybercriminals against an enterprise network, and then utilize the information discovered during the testing to aid an organization in improving its overall security posture, and thereby, defining their risk profile.

Energy Sector Challenges

Energy and utility companies face similiar cybersecurity concerns as other organizations, however, they also have their own unique set of challenges to overcome and high-value assets to protect in the process. By now, most organizations are aware of the obvious upswing of Internet of Things (IoT) solutions. IoT solutions are affecting all industries, however, the distinction of industrial controls systems such as supervisory control and data acquisition (SCADA) networks makes the protection of connected equipment especially important for the energy and utility sector. Another favoured attack point for cybercriminals are administrative networks, which can be used as an entry point for targeted operational systems or to steal sensitive company data. Due to these specific considerations, it is vital for organizations in these sectors to utilize penetration testing techniques suited for their unique environments.

The United States Energy Department’s National Electric Sector Cybersecurity Organization Resource (NESCOR) recommends penetration testing to be performed on a regular basis depending on the criticality of the targeted systems and assets. At the very least, in these environments, penetration testing should be performed on an annual basis, as well as following any major upgrades or system modifications. The penetration test can target a collective of control systems or focus on a single system at a time, depending on business requirements.

Penetration Testing: Preparation

Penetration testing in an environment with high-value, connected assets will require extensive planning prior to, and throughout the entire process. In preparation, energy companies should commit to a number of questions.

  1. What are the objectives of the penetration testing process?
  2. What are the top concerns within the environment?
  3. Who should be engaged in the process?
  4. How should activities be communicated within the organization and should your IT staff be made aware? For example, double-blind penetration tests entails telling as few people as possible about the testing taking place.

Penetration Testing: Implementation

As each of the assigned tasks of the penetration test are completed, ethical hackers will document each vulnerability they manage to uncover. Some common concerns, of particular importance to the energy and utility sector, include unmanaged devices that are insecure, out-of-date patching, and inappropriate internal privileges. Once all of the established tasks are complete, the penetration testing team should review all of the vulnerabilities with respect to their overall impact and severity. Often, what may seem to be a minor vulnerability may leave an opportunity for an attacker to escalate their privileges in order to exploit a higher risk vulnerability.

Choosing a Third-Party Penetration Testing Company

While most organizations in this sector will have their own information security department, most will lack the necessary skills to conduct an effective penetration test. It is for this reason that it is important to engage a specialized third-party. This arrangement not only provides a comprehensive assessment of the organization’s systems but ensures that an unbiased perspective is taken throughout the process.

Skilled penetration testers will provide a report that orders discovered vulnerabilities into risk categories to allow the client to prioritize mitigation efforts accordingly. As an added benefit to regular third-party penetration testing, many organizations report that their information security teams conclude an engagement with a greater understanding of both their environment and how to better manage their risk posture.

That said, for help choosing a penetration testing company, for more information on anything you read here, or to learn how Packetlabs can help protect your organization please feel free to contact us.