The energy sector often tops the list of industries on the receiving end of cyberattacks. This year’s ransomware attack on Colonial Pipeline, the largest fuel pipeline in the US, has shown the industry’s vulnerability.
For a nuclear power plant, there are no second chances when it comes to cybersecurity. One mistake or loss of concentration, one infected computer, and power can be shut down across an entire region, potentially putting lives at risk. Today, the risks have never been greater. It’s easier than ever for an attacker to send a phishing email, create a bogus web form or infect a website with malware.
What’s the attraction for attackers? Power plants are strategic infrastructure and are of huge economic value. Nation-state actors and hacktivists can cause significant disruption, or use techniques like ransomware to draw attention to their political agendas. The organisations, under huge pressure to maintain availability of services, often pay the ransom — although that does not guarantee that systems will be tuned back on, or that it will not happen again.
Energy companies are often geographically diverse. As a result of the global pandemic, a growing proportion of the workforce is now working remotely. Decentralised cybersecurity teams have to manage the increased ‘attack surface’ that has been created by these changes, and eliminate threats from the web and email.
They also often have complex interdependencies between physical and IT infrastructure. Security professionals are responsible for managing the risks posed by unique endpoints — including a complex assortment of operational technology (OT) — all of which can be vulnerable to attack.
To defend against the increasing number of attacks, organisations must mobilise their capability to prevent users, data and applications from providing an easy first point of entry for attackers. They are exploring strategic approaches, such as ‘zero trust’, and deploying solutions that create a so-called ‘air gap’ between users and the Internet, such as secure web gateways powered by isolation. Isolation ensures that no one can connect directly to an organisation’s devices as the first step of an attack, even if a user clicks on a malicious link or downloads a suspicious document.
Gösgen nuclear power plant on the Aar River in Switzerland understands the risks better than most and has worked closely with Menlo Security over the last few years to ensure employees can work safely and productively.
Balancing risk with employee productivity
Knowing that a security solution must balance risk with employee productivity, the cybersecurity team at Gösgen previously focused on maintaining reliable yet secure Internet access for users by creating a homegrown ‘isolation’ solution based on VMware ThinApp. This isolated all web traffic in a virtual browser, far from the user’s device — shutting down malware access to the endpoint. While it proved to be a highly secure, highly reliable technology that allowed users to browse the web and access email without putting the organisation at risk, it had its challenges. ThinApp is rarely updated by VMware, so much of the regular maintenance had to be done by Gösgen’s IT team. Even then, the team could not guarantee that every client on every user device was up to date.
According to Manuela Schweizer, Security and Network Engineer for Gösgen, they, “were falling behind more and more. The workload of preparing Firefox for virtual deployment was considerable. That’s why we looked for a new solution that would keep up with browser development and reduce workload.”
Schweizer and François Gasser, Gösgen’s IT security officer, worked with BOLL Engineering and BNC Business Network Communications AG, the plant’s IT consulting and implementation partner, to find an isolation solution that would enable a native browsing experience for users while protecting against email and web-based threats. The solution also needed to reduce the maintenance burden on the IT staff.
Trials were set up, including the Menlo Security Cloud Platform. The Menlo solution works by moving the ‘fetch’ and ‘execute’ commands off the end device (such as a mobile phone or laptop) and into a closed virtual browser environment. Only safe content is rendered to the user’s browser. All active code, including JavaScript and Flash, is executed in the virtual browser environment, where it has no access to the user’s machine. Instead, users receive a rendered web page that has all the active code stripped out via a proxy service that removes scripts and automatically converts Flash videos to MP4 files. This eliminates the need to install any client software on endpoints, allowing users to access the web, links, and documents in emails with no impact on speed, performance, or the native experience.
Private cloud-based web security solution
Gösgen now has a web security solution capable of delivering traditional web filtering control and access, with malware protection.
Because of data privacy issues, Gösgen deployed the Menlo solution in a private cloud environment built and maintained by its own IT team. All employees were informed about the new platform via the company intranet, but training was unnecessary. In fact, users are completely unaware of the underlying technology they are using, allowing them to get with their work without any impact.
All 550 employees at the plant, plus a few external partners, can now surf the web productively and safely. More important for the team at Gösgen is knowing that no malicious code can reach users’ devices, so they can sit back, relax and allow employees to access websites that previously had to be blocked.
Brett Raybould is EMEA Solutions Architect at Menlo Security