Top Cybersecurity Tips from Yes Energy's Experts

Following the Colonial Pipeline attack in May, we explored the risk that cyber-attacks and ransomware present to the energy industry and the power grid.  Since then, sophisticated cyberattacks have further increased.  Most recently, Kaseya, a software provider, was the subject of a ransomware attack.  Due to the nature of Kaseya’s business, the attack affected at least 200 U.S. companies.

REvil, a Russian-speaking ransomware- as- a- service provider responsible for the recent cyberattack on meat processing giant, JBS, is believed to be responsible for the attack on Kaseya. (NPR, 2021). The FERC and NERC recently published a white paper stating that in order to protect the grid from hackers and avoid critical infrastructure collapse, the electric industry needs to demonstrate “continued vigilance” (Utility Dive).  If it seems like the number of major ransomware attacks occurring is increasing, that’s because they are.  According to PBS, ransomware attacks increased by 62% between 2019 and 2021, and by 158% in North America.  The number of ransomware complaints received by the FBI increased by approximately 20% between 2019 and 2020.  Additionally, the cost of ransomware attacks reported to the FBI rose by 200% between 2019 and 2020.  Unfortunately, to make matters worse, according to NBC, there are also talent and availability shortages in the cybersecurity industry.  Cybersecurity businesses are turning down business.  Additionally, talent is scarce, and due to the nature of the job, employees don’t stay in front-line incident response for long periods of time.  

Following the  Colonial Pipeline ransomware attack, we shared some industry-proven tips for avoiding cyber and ransomware attacks.  Given the risk they pose to players in the industry and their increasing prevalence, we’re back this week with tips from Yes Energy’s security experts, Scott Saunders and Eric Marscin, on leveraging security as a tool, rather than a hindrance.  

1. Conduct a risk assessment.  Identify the individual risks to which your company is exposed.  What makes your business unique (and profitable)? That’s what makes your business vulnerable.  Eric recommends using the NIST special publication 800-30r1 to perform risk assessments. 

2. Think critically.  Consider everything that could go wrong or fail.  Address every scenario you and your team can think of.  Take a step back and think of all the ways your tool could be used in a different way than intended.  Try placing a wild card character in place of an explicit value or escape character.

3. Security can be fast.  Automate steps in the security process, where possible, in order to increase speed.  Availability is an important facet of security just because systems are secure doesn’t necessarily mean they are slower.

4. Test. Your. Backups.  Ensure that your backups are working.  40% of ransomware victims found that their backups had failed (KnowBe4).  Make sure your IT team can answer what your recovery time is if something goes wrong.  Additionally, make sure your IT team is backing up the data you and your business value most.  

5. There are no bad questions. You should be asking your vendors and IT team every question you can think of.  There are no bad questions, just dangerous assumptions.

6. People are your most vulnerable entry point.  Ultimately, people are both your strongest and weakest link.  Humans are vulnerable to phishing, improper firewall installations, etc.  Humans are fallible.  Ensure you have good training in place and make sure that everyone on your team knows they are an important part of the business’s overall security. 

Cyber and ransomware attacks present an extreme risk to businesses in all industries, no matter their size, and the energy industry may be a particularly vulnerable target for cybercriminals.

If you’re interested in learning more about security from Scott and Eric, please check out their presentation, Security as a tool, rather than a hindrance, from our recent Yes Data Insight Event, Unlocking Big Data Insights. (If you want to skip straight to their presentation it starts at 24:00).