With energy resources under attack, zero-trust security is the answer

Zero-trust systems require verification from a highly-verified source before any given change be made to a system or network.

A power station is seen in the southern Israeli city of Ashdod August 8, 2011 (photo credit: AMIR COHEN/REUTERS)
A power station is seen in the southern Israeli city of Ashdod August 8, 2011
(photo credit: AMIR COHEN/REUTERS)

As network technology grows more complex with every passing day, the race to keep network-connected assets, machinery and resources safe has only increased in pace. One particularly expensive example of this struggle between advancement and security is theft within the energy sector.

By taking command of the network-connected machinery which manufactures and transports energy resources such as oil or electricity, nefarious actors are able to throttle, steal and ransom access to those resources. This has led to the loss of tens of billions of dollars every year globally, and recent geopolitical turmoil has only made things more dire.

The war in Ukraine has exacerbated the issue of energy theft by making energy more scarce. Between UN sanctions on Russian resources, and Russia withholding access to those resources in the first place, the amount of energy that is globally available has decreased, resulting in higher prices and more demand for energy than ever. In turn, this has made cyber energy theft even more appealing to hackers and nefarious actors.

“If energy is critical, and energy is less accessible, there’s profit to be gained [from attacking it],” observed Eran Fine, CEO of cybersecurity firm NanoLock. His company uses its zero-trust cybersecurity platform in order to prevent nefarious activity from being carried out using clients’ machinery — including electricity generators or oil pipelines — whether it’s network-integrated or not.

Fine pointed out that, while these kinds of attacks can be carried out by anyone from the individual to the state level, “What's common to all of them is the issue of trust. Trust in employees, suppliers and so on are [potentially] a good entry point for attackers,” as it can more easily be exploited.

 Eran Fine, CEO of cybersecurity firm NanoLock (credit: Shlomo Peretz/Peretz Communication) Eran Fine, CEO of cybersecurity firm NanoLock (credit: Shlomo Peretz/Peretz Communication)

Zero-trust systems use 'guilty-until-proven-otherwise approach' to protect systems

In order to solve this, NanoLock and other cybersecurity companies like it have developed zero-trust systems which use a lot of complex programming in order to eliminate the need to trust any given individual attempting to access or change a system. Only by receiving verification from a highly-verified source can any given change be made to a system or network protected by their platform, resulting in a guilty-until-proven-otherwise approach to cybersecurity that can keep a client’s operational technology secure from anyone.

By leveraging this technology, Fine believes that his company has an advantage in the constant struggle to keep up with bad actors attempting to find security breaches. “In the cybersecurity industry you're constantly running after somebody who is, by definition, faster than you are. But what we're saying is that, no matter the advancements that happen in the technology, these attacks are ultimately geared towards accessing the machines themselves. And so by getting as close to the machine as possible and waiting for the adversary, we can simply say ‘You can’t do anything because we don't trust you by default.’”

 Moty Kanias, NanoLock's VP Strategy (credit: Shlomo Peretz/Peretz Communication) Moty Kanias, NanoLock's VP Strategy (credit: Shlomo Peretz/Peretz Communication)

Moty Kanias, NanoLock’s VP strategy, pointed out that, despite the fact that zero-trust cybersecurity may be difficult to grasp conceptually, the protection it offers is far from hypothetical. “We’re not solving a theoretical issue,” he said, offering a recent example in which Hamas attempted to gain control of Israeli water infrastructure in order to manipulate and poison its supply.

Poisoning drinking water, from a physical perspective, is very, very complicated. But from a cyber perspective, it can all be done from the comfort of an air-conditioned room. All you need is electricity and conductivity,” Kanias said. “If critical infrastructure doesn't have special cybersecurity systems, such as our solution, it allows people to change configurations, which can [result in anything from] rebilling to more critical and dangerous effects.”