Natural Resources Overview
There has been a shift in how the Natural Resources sector perceives the threats of cyber attacks. Aon’s latest Global Risk Management Survey highlights how Risk Managers in the Natural Resources space now identify cyber as one of the top current and future risks facing their industry.
Historically, some companies in the Natural Resources sector may not have been as concerned about cyber attacks impacting their operations, as reports of attacks were generally against Healthcare, Financial Institutions, Hospitality, and Retail companies.
This change in perception will only be intensified by the currently rising geopolitical tensions driven by the Russia-Ukraine conflict. Russia’s actions, and corresponding drastic sanctions imposed against Russia, have forced many nations to rethink the sourcing of their oil and gas needs – with some attempting to increase domestic production, while others seek new dependable suppliers.
At the same time, Western countries have embarked on a green climate transition with a net-zero emissions goal by 2050 that is centered on technology that requires vast amounts of lithium, cobalt, nickel, copper, aluminum, and rare earth metals. We have already seen a shortage of these critical metals and minerals and expect demand to far outstrip supply in the coming years and decades.
As the world competes for these finite resources, the cyber threat landscape and nature of cyber attacks are changing. Nation-states and cyber criminals have increased and modified their use of cyber attacks, aiming them at Natural Resources companies, which are considered to be a part of a nation’s critical infrastructure, including Power and Utilities, Oil and Gas, as well as Mining and Forestry.
While previous attacks have been geared towards disabling systems to extort ransom payments, future attacks may target Operational Technology (OT), such as Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition Devices (SCADA), with the goal of causing major disruption. This is a trend that will continue to put pressure on organizations’ security teams.
Management and Boards of Natural Resources companies are facing uncertainty and the challenge of dealing with increasingly complex issues – cyber attacks being only one of them. The goal of this paper is to explain the shifts in cyber attacks directed at Natural Resources companies and share insights on how you can make better decisions around protecting your organization by building sustained cyber resilience.
Every organization starts this journey from a different perspective and maturity level. A strategic approach to cyber security is circular and iterative and — importantly — informed by data. Aon has developed The Cyber Loop — a model that acknowledges that each organization will start its journey from a different place when it comes to assessing, mitigating, transferring or recovering from cyber attacks.
Below, we identify the threats to and ways to improve your Operational Technology (OT) resilience as well as how the cyber insurance market can assist in dealing with the changing risk landscape. We will also explain how the Aon team can help bolster your organization’s defenses.
Is Operational Technology Under Attack?
Organizations in the Natural Resources sector face unique cyber security challenges. Among the most pressing issues observed by Aon’s Cyber Solutions are:
- Infrastructure security
- Legacy systems integrity
- Late adaptation of increasing digitalization
- Supply chain threats
- Intellectual property data sensitivities, and
- Technological resilience considerations
As we have witnessed recently, the Natural Resources sector’s connection to critical infrastructure has also made it a key target for attacks by nation-states, terror groups, financially motivated criminal gangs and hacktivists.
Incidents by the Numbers
- The energy sector was the fourth-most targeted industry, experiencing 8.2 percent of attacks observed in 2021, according to IBM Security’s 2022 X Force Threat Intelligence Index. Specifically, North American energy organizations were the most targeted in the world, placing the region at the top of the list.1 2
- Approximately 55 percent of mining executives expressed concern about their ability to manage a cyber threat with nearly 70 percent witnessing an increase in the number of disruptive attacks in the past 12 months. Half of the respondents stated that ICS were the most frequently attacked, according to E&Y’s 2021 Global Information Security Survey.3
- Forestry companies have increasingly experienced cyber attacks and cyber extortion since 2020, as financially motivated criminal groups have expanded their operations to new industries. Organizations in mining and forestry have experienced the largest overall increase in fraud cases, climbing 30 percent over the last four years based on data collected by the Association of Certified Fraud Examiners.4
Who are the Threat Actors and How are they Breaching Systems?
Ransomware continues to be the most prevalent type of attack against energy organizations as evidenced by major incidents such as the Ryuk group’s attack on a Norwegian energy company, the Darkside group’s attack on an American oil pipeline system, and Darkside’s attack on two Brazilian state-owned entities. Following ransomware, the top types of attacks carried out by threat actors, based on industry data collected from multiple U.S. security companies are: remote access trojans (RATs), distributed denial of service attacks (DDoS) and business email compromise (BEC).5 6
7 These advisories further highlighted targeted intrusion campaigns from 2011 to 2021 where Russian state actors deployed destructive malware, such as Havex and Triton, on energy companies in the U.S. and in the Middle East, or exploited the following critical vulnerabilities:8
- CVE-2018-13379 FortiGate VPNs
- CVE-2019-1653 Cisco router
- CVE-2019-2725 Oracle WebLogic Server
- CVE-2019-7609 Kibana
- CVE-2019-9670 Zimbra software
- CVE-2019-10149 Exim Simple Mail Transfer Protocol
- CVE-2019-11510 Pulse Secure
- CVE-2019-19781 Citrix
- CVE-2020-0688 Microsoft Exchange
- CVE-2020-4006 VMWare
- CVE-2020-5902 F5 Big-IP
- CVE-2020-14882 Oracle WebLogic
- CVE-2021-26855 Microsoft Exchange
Malware targeting ICS is becoming increasingly sophisticated. From 2016 to present, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed two pieces of malware, Industroyer and Industroyer29, to Russian APT actors targeting Ukrainian power ICS. Industroyer and Industoyer2 are variants from the same malware family and serve as an example of how Cyber threats to ICS are evolving.
In comparison, major companies in the mining sector have been the targets of Chinese cyber attacks since 2010. These attacks primarily focused on conducting espionage to extract proprietary data, according to regional media and technology reports published by MIT and industry groups.10 11 12 13 14 More recently, Chinese APT actors have been attributed with deploying virtually undetectable zero-days, as well as advanced malware called “Daxin”.15
The Impact of The Ukraine Conflict on Cyber Security and Global Supply Chain Issues – How could this affect Natural Resources?
The global economy has been experiencing a global microchip shortage, resulting from the COVID-19 pandemic, which has been exacerbated by the Russia-Ukraine conflict. Semiconductors are imperative to microchip manufacturing, and microchips are imperative to controlling the electronic functions of electronic devices such as the hardware that makes up operational technology.
Over 90 percent of US-sourced semiconductor grade neon comes from Ukraine. 16 Approximately 50 percent of which is being produced by two companies that are located in currently besieged areas under heavy bombardment and therefore had to cease operations.17 As we turn to the destructive malware deployed strategically into Ukraine by suspected Russian APT actors, we begin to see a concerning connection between the global supply chain shortage of microchips and cyber security.
For example, if a company experiences a destructive malware attack and the company’s technological property is damaged, will that company be able to replace its damaged devices quickly to get back online? If a company cannot source enough replacement devices, how will this affect its ability to recover? This is particularly true as we look at the microchips that run operational technology. If operational technology is damaged and replacement parts are unavailable, the ramifications could result in not just lost earnings but multi-industry, critical infrastructure damage that would quickly rise to a national security issue.
Will Cyber Threats Drive New Regulation Around Minimum Cyber Security Standards?
As cyber security and national security have intersected over the last decade, U.S. Government officials have begun to see the need for cyber security policy and standardization. In July of 2021, the U.S. Administration released the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems aimed at outlining a pathway to address minimum cyber security standards and initiatives related to industrial control systems and arching into critical infrastructure as a whole.18 While cyber security threats continue to grow and evolve, we may see more regulation on minimum cyber security standards, which all companies operating within the industrial control and critical infrastructure sectors, will be required to implement. Natural Resources companies will be directly impacted. As the U.S. Department of Homeland Security (DHS) addresses these concerns through the Cybersecurity and Infrastructure Security Agency (CISA), it is highly likely we will see more robust National Institute of Standards and Technology (NIST) standards and requirements going forward.
As these cyber security challenges are not unique to the U.S. alone, other regulators around the world are bound to consider similar steps to protect their critical infrastructure and the adjacent National Resources sector.
Addressing Operational Technology Cyber Resilience
Organizations within the Natural Resources sector are increasingly exploring and deploying automation and electrification to cut costs as well as emissions. Some are setting up remote operation centers which control and run assets hundreds or thousands of kilometers away. In the past, individual sites operated as separate units, but with today’s technology, there is much greater interconnectivity between sites and corporate offices and operations centres. Consequently, the separation between OT and business and administrative networks has been reduced, resulting in an increased risk of vulnerabilities; if one network is breached, the remaining operations networks are also vulnerable if proper measures are not taken.
Over the past few decades, OT systems have become increasingly dependent on digital technology to reduce costs, increase efficiency, and maintain reliable operations. OT systems are being integrated with traditional business Information Technology (IT) to provide corporate services such as email and network connectivity. Data produced in the operation of OT is also being used increasingly to support corporate business decisions in ever-expanding ways. While this streamlining can simplify and improve processes, the bad news is that both IT and OT systems are vulnerable to malicious attacks and misuse, with OT systems having additional vulnerabilities because of their complexity, large number of stakeholders, and highly time-sensitive operational requirements.
Historically, ICS were composed of proprietary technologies with limited connection to an organization’s corporate networks or the Internet. In today’s world, the efficiencies of commercial off-the-shelf (COTS) hardware platforms and software applications, interconnected public and private networks, and remote support are moving organizations from an isolated environment into a global, interconnected environment. Technologies that drive critical infrastructure will further integrate IT and OT systems and continue to blur the lines between IT and OT. As OT systems mature and increase connectivity, the more the IT and telecommunications sectors will be directly involved. While these sectors do have existing cyber security standards to create assessment programs that identify known vulnerabilities in their own systems, these same vulnerabilities also need to be assessed in the context of an organization’s OT infrastructure.
The Dangerous Disconnect Between OT and IT
All too often, IT and OT environments have been managed by different teams who often do not coordinate their approach to cyber risk management. While IT security is a relatively mature market, OT systems can be based on legacy hardware and software, reducing the availability or effectiveness of IT security controls. However, as OT systems modernize and approach the functionality of IT systems, it is important that cyber risk management becomes a collaborative endeavor between both divisions within the organization. To successfully execute organizational business functions in the OT environment using IT processes, an organization’s leadership must be committed to making risk management a fundamental operating requirement.
While everyone in an organization is responsible for cyber security, regardless of the size or type of the entity, management and Boards are responsible for how cyber security risk impacts the organization’s mission and business processes. In developing a holistic cyber governance structure that encompasses OT and IT, organizations need to establish a risk executive function that breaks down silos and addresses cyber risks impacting the entire organization from head office down to operations — with established accountability principles in place.
What Can Organizations Do to Mitigate Risks Related to ICS and SCADA?
As companies in the Natural Resources sector shift to modernize technology used in ICS and SCADA systems, they can further expose their networks to new and emerging cyber threats. Aon recommends taking the following steps to secure your systems:19
- Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls. Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
- Enforce Multi-Factor Authentication (MFA) for all remote access to ICS networks and devices whenever possible. Regularly change all passwords to ICS/SCADA devices and systems, especially all default passwords, to device-unique strong passwords. This will mitigate password brute force attacks and give defender monitoring systems opportunities to detect common attacks.
- Maintain known-good offline backups for faster recovery upon a disruptive attack. Conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. Implement robust log collection and retention from ICS/SCADA systems and management subnets.
- Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement.
Response and Offerings of the Cyber Insurance Market
Although the cyber insurance market has developed over time to offer a variety of coverage solutions, ranging from a traditional cyber policy to a cyber gap policy, filling coverage gaps within property and casualty policies, there is no solution that can function as a complete risk transfer option against all forms of cyber attacks and corresponding losses.
As the cyber insurance market continued to harden in recent history due to a flood of cyber losses, insurance is also harder to obtain. Many organizations who want to buy insurance are unable to secure coverage as their internal controls are deemed too weak by insurers or premiums are prohibitively high. Many insureds also saw their limits cut at renewal as insurers are becoming increasingly cautious about the limits they deploy for any one risk.
In addition, and driven by Lloyd’s of London in 2019, most property and casualty insurers have taken the direction to specifically exclude cyber losses from their policies, creating coverage certainty where the insurance market relied on silence in the past. This silence led to the unintended consequence of cyber losses being covered by non-cyber policies. Current cyber exclusionary language varies across the market and insurers in terms of severity, causing potentially substantial coverage gaps in property and casualty policies. As a result, cyber attacks against OT, causing property damage or system outages with resultant business interruption, may not be covered. We expect this exclusionary language to evolve further. Insureds are well advised to understand coverage scope in this regard to avoid unpleasant surprises in the event of a cyber loss.
Any remaining coverage gaps will have to be absorbed by an insured’s own balance sheet. Given the evolution of cyber risk over the past two and a half years and the increase in cyber attacks globally, we do not anticipate the return of cyber coverage within non-cyber policies anytime soon – if ever.
Although cyber coverage within property and casualty policies is significant for insureds, the lack of readily available coverage doesn’t render a traditional and stand-alone cyber insurance immaterial or without value for insureds with significant OT exposure. Cyber insurance can provide coverage for an organization’s own or first-party costs in investigating and mitigating an actual or suspected breach, as well as the cost of complying with applicable privacy laws, regulations and guidelines including breach notification costs, forensic investigation, credit monitoring, call center and breach coach costs. It also helps to provide third-party liability protection by paying defense costs, settlements, and judgment amounts. In addition, cyber extortion, business interruption and digital asset restoration costs are regularly available if the insured meets the minimum-security controls standards.
While the impact of a well-crafted cyber policy is monumental in today’s ransomware environment, it cannot be the only tool in an insured’s toolbox. Cyber risk is a full enterprise-wide exposure, and it is not sufficient to only look to risk transfer as the sole method of addressing this risk. Cyber defense is a continual process of assessing exposure, quantifying impact, transferring cyber risk to an insurer when you can, mitigating risk where possible, and being ready to respond when a cyber attack happens.
How to Bolster Defenses and How Aon Can Help
There is a critical need to bolster defenses and improve OT resilience to combat the growing number of cyber security attacks directed at Natural Resources companies. However, budgets are limited, and companies must be strategic in allocation of funds to focus on controls most critical to their industry and risk profile. For Natural Resources companies it is important to consider how best to support the altering structure from the growing interconnectivity of OT and IT systems, keeping in mind the additional exposure driven by such things as the increase of the Industrial Internet of Things (IIoT) and the shift towards working from home (WFH).
Aon’s Cyber Solutions works with clients to better realize sustained cyber resilience and to holistically manage cyber risk including helping Natural Resources companies focus on the most critical pathways to mitigate cyber security risk, implementing proper governance and architecture, and building a proactive defense strategy.
Proper Governance and Network Architecture
The guiding principle behind cyber security risk management is that Natural Resources companies must realize that cyber security is another example of a risk they should proactively manage in a constantly changing landscape. Proper governance begins by relying on optimal risk management frameworks focused on oversight and internal controls. This is the model Aon’s Governance Assessment addresses by identifying how specific duties related to risk and control could be assigned and coordinated within the organization.
Equally important is the need to address the technical aspects of risk mitigation. With the increase of IoT and WFH environments and the lines between IT and OT being further blurred, the need to assess network architecture is even greater to ensure that critical infrastructure is safe. Aon’s Network Architecture Risk Assessment provides a method to systematically compare a company’s current architecture to industry-wide best standards to better assess and improve technical maturity.
Building a Proactive Defense
In addition to ensuring proper governance and architecture are in place, Natural Resources companies need to increase their ability to identify potential attacks by building a proactive defense. Given the increased sophistication of threat actors, monitoring risk not only through tools but also by conducting Deep and Dark Web Threat Monitoring, Threat Hunts, Threat Intelligence, and Cyber Kill Chain Assessments are becoming increasingly critical.
Studies show that the sooner an attack is detected and remediated, the greater the reduction of risk and costs to the company. As a result, companies are increasingly using resources to monitor the Deep and Dark Web to identify red flags indicative of an attack on the company. Aon offers Natural Resources companies Deep and Dark Web Threat Monitoring on an ongoing basis to monitor dark web forums, underground marketplaces, and threat actor chat sites to help identify observable threats related to the company.
Engaging in a proactive search for threat actors within a network, or Threat Hunting, is another tool used to detect a compromise before the threat actor may cause damage. Often, a threat actor may infiltrate an environment while planning their attack and trying to obtain access to the OT environment. During this time, trace evidence or Indicators of Compromise (IoCs) may be detected such as unusual traffic or malicious websites visited by employee-owned accounts that lead to the identification of an active threat. Aon has deep experience in performing threat hunts and can provide robust threat hunting practices that help clients detect and rid their environment of active threats.
Understanding the latest tactics and types of attacks is also critical to defending against cyber attacks. In fact, the updated ISO 27002 standard (a framework providing best practice guidance on implementing information security controls), which was released in February 2022, contains a new threat intelligence control (Control 5.7) that requires organizations to collect and analyze information around cyber security threats. The guidance requires organizations to have programs in place to gather and process threat intelligence data and information that can be used to inform around existing or emerging cyber threats. ISO recommends that businesses use three types of Threat Intelligence, which Aon’s Cyber Solutions provides to clients:
- Strategic Threat Intelligence: Exchange of high-level information about the evolving threat landscape, such as the types of attacks initiated
- Operational Threat Intelligence: Information about attacker methodologies, and the tools and technologies involved
- Tactical Threat Intelligence: Details about specific attacks, including technical indicators
Aon can also help Natural Resources companies by performing a Cyber Kill Chain Assessment that is focused on the specific method of a cyber intrusion and highlights gaps in defensive controls that are evaluated against real-world attacker techniques along the attack path (the Cyber Kill Chain). The assessment identifies weaknesses to detection and prevention controls, and stress tests their response capabilities which helps to provide companies with actionable cyber resilience improvements needed to keep up with the changing threat landscape.
Natural Resources companies are under attack and no organization is immune. Regardless of your cyber risk maturity and awareness level from an OT or IT perspective, or your internal support and funding levels, no organization in the Natural Resources space can afford to ignore the clear dangers ahead.
Every organization is struggling to assess and prioritize cyber-related risks, fund risk transfer mechanisms, and implement mitigating strategies. Management and Board support are paramount, but so is a deep enough talent pool to overview and guide the implementation of defensive strategies. Even a well-crafted insurance program is not a bulletproof or sufficient solution against cyber attacks that can impact an organization’s OT and potentially lead to long-term system outages or even property damage. Coverage gaps remain and the cyber or property and casualty insurance markets are currently not willing to completely close these gaps or do so cost-effectively. Based on the size of your operations and your OT and IT vulnerabilities, business interruption losses can be substantial.
Aon’s Cyber Solutions is here to support you and your organization by helping you make these strategic decisions, based on your budget and priorities, to mitigate risk and protect your operations. The goal is to build a sustained and resilient cyber defense program. Our team can speak with you to assess your needs and discuss potential next steps. Please do not hesitate to reach out to the colleagues listed below, or to your local Aon Account Executive and supporting team.
Watch our webinar replay to learn how Natural Resources companies in the Americas are likely to be impacted now and, in the future, and how your organization can build sustained cyber resilience.
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business.
Follow Aon on Twitter and LinkedIn. Stay up-to-date by visiting the Aon Newsroom and sign up for News Alerts here.
© Aon plc 2022. All rights reserved.
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets and recover from cyber incidents.
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.