A high-profile incident in the energy sector – lessons every business owner should learn

A high-profile incident in the energy sector occurred on 29 December last year. It affected entities belonging to the OSE, including wind and solar farms, a large combined heat and power plant, and a company from the manufacturing sector. Information about the incident only reached the public a month later. A detailed technical description and analysis of the incident’s course are available in the CERT Polska report, which is well worth reading: report – incident in the energy sector. I also refer you there for information on the sequence of events accompanying the attacks on individual entities.

In this article, I wish to highlight the circumstances surrounding the incident that affected the manufacturing company and outline the lessons that virtually any business owner can learn from it – regardless of their industry.

What was the attack vector?

The attackers’ aim was to gain access to edge devices that had previously been found to be vulnerable. The configuration details of these devices were stolen and published on one of the forums used by cybercriminal groups.

The publication of the configuration enabled the attackers to gain access to the devices and change user passwords. As a result, the criminals were able to maintain unauthorised access for an extended period, which further increased the scale of the threat.

Lessons from the incident – what can every business owner learn from it?

In business, just as in private life, it is best to learn from other people’s mistakes. In this case, the key lessons include consistently strengthening cybersecurity and regularly monitoring the IT environment.

Above all, constant monitoring of the products and devices used in business operations

In particular, it is worth ensuring:

• monitoring security updates released by manufacturers – such measures often address critical vulnerabilities that expose the business to risks such as authentication bypass and unauthorised access to administrative functions,
• promptly responding to published security patches that address critical vulnerabilities,
• verifying device configurations and their compliance with best security practices,
• restricting administrative access to only where strictly necessary,
• continuous monitoring of logs to detect anomalies and unusual activity,
• updating antivirus signatures and using tools for automated patch management.

What do NIS2 and the UKSC Act require in this regard?

The NIS2 Directive and the amended Act on the National Cybersecurity System (UKSC) place particular emphasis on proactive cyber defence and the prevention of breaches of network and information system security.

One of the principles of the information security management system implemented by key operators and important operators is to take into account vulnerabilities related to hardware or software suppliers.

During vulnerability audits, Mikołaj Prochownik, Andrzej Broniewski and Przemysław Strzępek verify, amongst other things, how businesses falling within the scope of NIS2 fulfil this obligation and whether they properly manage the risks associated with supplier vulnerabilities.