Andy BeckFriday, April 27, 2018
Data breaches are top of mind for many industries, particularly in the wake of revelations over the UnderArmour hack, which exposed the personal information of over 150 million app users. These concerns are particularly acute for the nuclear, energy, and commercial industries, as the Department of Homeland Security and the FBI recently issued an alert that foreign hackers have been continually targeting these key American infrastructure sectors.
Hackers from around the globe have looked and continue to look for weaknesses in the electric grid and other resources with a variety of techniques, including common hacking weapons such as spear-phishing in e-mails and the use of watering hole domains. According to the Department of Homeland Security U-CERT report, Russian hackers were able to access the control system of at least one U.S. based power plant using these methods.
Not only did the hackers gain access to energy sector networks, but they conducted reconnaissance operations within internal networks and strategically collected information on Industrial Control Systems (ICS). Per NPR, counterintelligence analysts have evaluated this hacking approach, and have determined that it was intended to place the cyber tools needed to effectively turn off the power – creating a serious vulnerability for the United States.
The whole of the energy industry doubtlessly is following these developments – particularly in considering that a 2017 survey by Siemens and the Ponemon Institute determined that 68% of oil and gas firms in the United States had been hacked. These companies should be taking careful steps to examine their internal processes to combat future and ongoing hacking attempts. Here are five key steps that the industry can take under advisement in developing their internal communications campaigns:
- Open the lines of communication with the information security team – according to the Siemens study, 67% of respondents indicated that organizational challenges adversely impacted cybersecurity readiness.
- Detail and emphasize cyber risks in an organization-wide education effort – provide examples of spear-phishing and other hacking techniques to keep company staff apprised of potential risky behavior.
- Work collaboratively with other companies – the sharing of threat intelligence is considered particularly useful in mitigating the risk of cyber-attacks. Energy companies should set up information security networks to combat these challenges together.
- Organize and secure internal information by areas of particular hacker interest – exploratory information, production information, potential partners and acquisition targets, as well as financial and organizational reports are considered particularly desirable targets for hacking reconnaissance efforts.
- Create a crisis communications plan to help steer internal processes and external information output in the event of a cyber-attack.
Both government and industry have a great deal of sensitive information at stake – information with huge implications for the country as a whole. Comprehensive, detailed, and strategic messaging is needed across these organizations to combat the continual hacking attempts across the energy diaspora – both in the United States, and internationally. Makovsky’s Energy, Manufacturing and Sustainability practice has deep and varied experience in energy policy communications, as well as crisis management communications, and are well-equipped to help manage your crisis and internal communications programs
Andy Beck is Executive Vice President of Makovsky’s Energy, Manufacturing and Sustainability practice, and is general manager of Makovsky’s Washington, D.C. office. Previously, Andy served as the Director of Public Affairs for the U.S. Department of Energy.