Can Secure Messaging Protect Against the Most Common Attack Vector?
In recent years, the alarming uptick in the frequency and sophistication of cyberattacks targeting critical infrastructure systems has put a spotlight on the emerging vulnerabilities of once disparate, now digitally connected, networks and systems. For the energy and utilities industry specifically, the decade-old quagmire that is information technology (IT) and operation technology (OT) convergence has revealed weaknesses in proactive cybersecurity, incident response and business continuity across both facilities and operations.
While the nefarious online activities of nation states and cyber terrorists, along with human error, have steadily driven up organizational risk for the past 15 years, the emergence of critical infrastructure cybersecurity as a mainstream issue can be traced back to December 2015. Before the year concluded, a cyberattack on the Ukrainian power grid left more than 200,000 customers without power for several hours. This was soon followed by rumors that the Israeli power grid had too been compromised by hackers. Although not the first two cyberattacks on power infrastructure by any means, the proximity of these two events, and the prolonged coverage in the news cycle, drove unprecedented international awareness and prompted serious discussion of the inherent risks to this critical industry.
Since then, it’s hard to go a week without reading or hearing about a thwarted threat, the discovery of a digital reconnaissance mission or that of a successful attack. Just last fall, Symantec found evidence that hundreds of power grid sites across the U.S., Turkey and Switzerland had been compromised since 2011 as a result of a massive hacking campaign called Dragonfly 2.0. This soon prompted the FBI and Department of Homeland Security (DHS) to issue a warning to nuclear, energy, aviation, water and critical manufacturing industries that “hackers had succeeded in compromising some targeted networks” using a combination of threat actors—including spear-phishing emails.
Just recently, U.S. President Donald Trump’s administration release a public statement accusing Russia of a “concerted, ongoing operation to hack and spy on the U.S. energy grid and other critical infrastructure.”
While all these revelations are disturbing, there is some good news—most cyberattacks start worldwide, including those that target the energy industry. The common culprit is email phishing; and it has proven harder to mitigate than anyone could have ever foreseen.
UNDERSTANDING THE VULNERABILITIES OF MESSAGING COMMUNICATIONS
Some 90 percent of all cyberattacks begin with email phishing, according to a report from PhishMe. What started as juvenile trickery to scam people out of money has evolved into a social engineering phenomenon that can compromise a country’s infrastructure and security-readiness.
Phishing attacks once depended on someone to download a malicious attachment or click on a malicious link for an attacker to have success. Now, however, phishing emails have become so sophisticated that messages with no links or attachments, known as business email compromise (BEC), can easily bypass the most common rules-based email security tools that companies traditionally use to assess threats. These types of phishing attacks are “spoofed” to look and feel exactly like they are authored and sent from a colleague, often prompting employees to take actions that can lead to major problems for the enterprise.
In response to the phishing epidemic, many companies now direct a significant amount of their cybersecurity budgets to workforce security awareness training, which includes educational programs on how to detect malicious digital threats. Many have also begun to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), an email validation system, at the suggestion of DHS. Both of these safeguards are high on promises, but, unfortunately, low on rewards, as no amount of training can keep up with the pace in which attackers alter their tools and techniques. In fact, DMARC has already been exposed as vulnerable to spoofed emails.
As a result of increased awareness around cyberthreats prompted by email, many organizations are reducing their reliance on email as a medium altogether, instead choosing to utilize SMS texting for its ease-of-use and simplicity. In fact, an article from One Reach, which covers digital communication trends, reported that 80 percent of workers say they use SMS texts as part of doing business; and according to Seyfarth Shaw LLP, even if text messaging is not a sanctioned form of communication in the workplace. What many of these employees are not aware of however is that SMS texts are just as vulnerable to outside interference as emails with the rise of “smishing” (SMS phishing) attacks, which, according to Kaspersky Lab, increased by over 300 percent in 2017.
In addition to standard ongoing internal communications, companies use a combination of email and SMS text to quickly disseminate information as part of their incident notification and response plans. These methods, however, can be hacked and infiltrated via phishing schemes, and they do nothing to prevent the sharing of information once it has been sent, leaving communications vulnerable to accidental or malicious propagation.
The continued use of phishing, whether sent via email or text, indicates that hackers are continuing to choose this attack vector because of its low risk, high reward. As such, utilities and energy companies face a serious conundrum as they obviously can’t keep their employees from communicating digitally, but also must prioritize network, system and infrastructure security at all costs. Fortunately, a unique fix to this complicated problem has recently emerged—the adoption of secure messaging platforms.
SECURE MESSAGING: A NEW SOLUTION FOR CONFIDENTIAL COMMUNICATIONS
For highly regulated industries, secure messaging provides a unique, yet proven solution to mitigate risk by taking communications outside of where they are most vulnerable—email and SMS text. With a secure messaging solution, only approved senders that have been granted access to an organization’s messaging platform can send messages, thereby eliminating the threat of outside senders entirely. Secure messaging also prevents man-in-the-middle attacks, which can occur when unencrypted SMS texts are sent on an open network.
What’s also unique about secure messaging is that the sender maintains complete control of the conversation, the data and its use at all times, preventing unintentional sharing, data theft and propagation of information. In addition, unlike native SMS texting secure messaging ensures all messages are captured and archived to the organization’s repository of record for compliance purposes and processes, while removing texts from sender and recipient devices. Also, when used in response to an incident, secure messaging allows for rapid notifications, response and recovery communications to meet corporate operating procedures, without worry of third party surveillance or leaks.
Cyber threats will continue to compromise the confidentiality, availability, integrity and personnel safety of energy organizations for a long time to come, and phishing will remain the most exploited attack vector simply because of its impressive success rate. Secure messaging provides an opportunity to finally make significant risk reductions by eliminating the vulnerabilities inherent to email and SMS texting communications; helping to maintain compliance and expediting and organizing incident response communications.
Dr. Galina Datskovsky, CRM, FAI and serial entrepreneur, is an internationally recognized privacy, compliance and security expert. Galina is the CEO of Vaporstream, a leading provider of secure, ephemeral and compliant messaging.
Originally published by Galina Datskovsky in the May 2018 issue of POWERGRID INTERNATIONAL.