Suncor Energy cybersecurity incident once again highlights need for cyber resilience, operational continuity

Recent cybersecurity attacks, such as the Suncor Energy incident, once again serve as a reminder to the energy sector to prioritize cybersecurity and invest in robust security measures to safeguard critical infrastructure and maintain operational continuity. It is crucial to strengthen cybersecurity measures and enhance both internal and third-party security protocols. Cyber attacks can disrupt supply chains, cripple economies, and destabilize national security. As supply chain attacks become more visible, organizations must collaborate to improve cybersecurity and mitigate risks.

The Suncor Petro-Canada cybersecurity breach disrupted services, including payments at Petro-Canada pumps, affecting Canadians nationwide. The cyberattack on Suncor Energy’s systems led to technical issues that prevented customers from paying with credit cards or rewards points at Petro-Canada gas stations. Payments to suppliers were also impacted, further highlighting the scope of the breach. While some stations were reportedly still accepting cash payments, the incident signified a significant disruption in operations.

Details about the Suncor Energy cyberattack, such as the specific nature of the breach and the extent of the compromised data, have not been disclosed publicly. However, Suncor Energy has acknowledged the incident in a Jun. 25 statement and said it is working towards restoring services and addressing the impacts of the breach.

With the cyberattack on Suncor, some services at Petro-Canada gas stations were also interrupted. “Our sites are open, with debit and credit transactions available at most locations in addition to cash payments,” the firm stated in a Jun. 29 Twitter message. 

“Our app, Petro-Points program, and some car washes remain unavailable,” Petro-Canada added. “We’re making progress on resolving the disruptions customers have been experiencing and will continue to update you as more services come back online.” 

Last month, the Canadian security agency assessed that the nation’s oil and gas sector will ‘very likely’ continue to be targeted by state-sponsored cyber espionage for commercial or economic reasons. Such threats risk proprietary trade secrets, research, and business and production plans. The agency warned the oil and gas sector about cyber threats originating from the digital supply chain. They emphasize that threats can propagate through digital information transfer, making supply chains an extended attack surface for Canadian organizations. 

The agency added that it is aware of efforts by Russian state-sponsored threat actors to compromise and establish persistence (i.e. pre-positioning) on the networks of Canadian and US critical infrastructure providers, including organizations in the oil and gas sector. It expects that Russian espionage, with the goal of pre-positioning on OT networks, will very likely continue. Furthermore, it says that it is likely that state-sponsored cyber threat actors are almost certainly continually improving their capability to conduct destructive or debilitating cyber activity against critical infrastructure.

Industrial Cyber reached out to executives in the industrial cybersecurity space to identify the lessons learned after Suncor Energy and Petro-Canada breach. They also throw light on the important points of the cybersecurity incident.

The key takeaway is that adversaries will continue to target critical infrastructure as they understand that these attacks will have a real-world impact on people, Thomas Pace, CEO of XIoT firm NetRise, told Industrial Cyber. “Minimal information related to the specifics of the attack has been published, so providing any specific lessons learned is challenging.” 

However, Pace added that it is clear that many critical infrastructure verticals are coming under more and more attacks and that more budget for these industries will almost certainly be required to stem the tide of attacks.

“As Petro-Canada and parent Suncor recover from this attack it’s important to understand the impacts,” Ron Fabela, field CTO at cybersecurity firm XONA Systems, told Industrial Cyber. “While the ability to use debit/credit at the pump and ability to use car washes degraded, this attack in no way compares to the Colonial Pipeline event in 2021.” 

Fabela added that not all critical infrastructure attacks are equal “as we will continue to see ransomware and other events affect ICS companies and indirectly impact operations.”

However, he pointed out that in this case, “the extended time to recovery is indicative of the need for more resilient systems across all parts of the organization.”

Ron Brash, vice president of technical research and integrations at software security firm aDolus Technology, told Industrial Cyber that it is far too early to say what all the lessons learned were, but the convergence of technologies that produced initial cash savings through centralization, increased control, and reduction of suppliers may lead to unintended consequences when disrupted. 

“From all accounts, affected retail locations’ ability to move product was degraded due to the lack of POS/loyalty points program availability, and also severely reduced revenue generated from other goods in their stores – especially in a society that is almost cashless post-COVID,” Brash said. “However, this event is not a lesson on OT cybersecurity (although that may be partially true if enterprise AD issues transcended into OT sites, inventory management systems, and OT adjacent/connected assets), but instead this event emphasizes the importance of an organization’s ability to be resilient and operate in a degraded state using alternate methods.” 

On the other hand, Brash added that “we can say that having multiple corporations with their own infrastructure, numerous locations, and having a healthy competitive market at least provided some redundancy (when compared to a single major pipeline being disrupted).”

He added, “But if I were in charge of DRP and BCP, I would be very concerned that newer retail locations could not manually dip tanks, employees could calculate costs using simple arithmetic, check meters and determine volume, and phone in visas/carbon copy cards – this level of traditional resiliency is absent in the Western world, and today’s ease/convenience has left nearly any payment-driven environment vulnerable.”

“I think the lesson here is that the intelligence report that stated Russians were coming after Canadian energy infrastructure was accurate, that the pipeline disruption earlier this year was round one, and now Suncor is round two,” Mike Hamilton, CISO of Critical Insight, told Industrial Cyber. “And while there is a lot we don’t know, I think that since both Suncor’s operational technologies AND payment systems were disrupted, the goal seems to have been exactly as suggested – produce psychological impacts on the Canadian population.” 

Hamilton added that this seems to be in retaliation for Canada announcing that it would boost oil and gas production to assist the European Union cut its use of Russian energy.

The executives also evaluate the level of preparedness of the Canadian critical infrastructure sector when compared to its US or European counterparts.

Pace said that Canada certainly has a significantly smaller budget than at least the United States in terms of protecting critical infrastructure. “Additionally, Canada needs to protect an incredibly large geographical area with a budget that is likely not commensurate with that in mind.” 

In terms of its European counterparts, it depends on the country, according to Pace. “Countries like Germany and the UK have more sophisticated cyber defense capabilities than say Italy and Spain.”

“As these attacks increase in severity and frequency organizations around the world are more aware of the risk of inaction,” according to Fabela. “Now is the time to plan incident response and recovery procedures, and implement technologies such as secure access and monitoring. There’s not enough data to determine a comparison, but each event is a chance for the community to prepare ahead.”

Brash assesses that generally Canadian infrastructure is a mixed bag of readiness because it consists of any number of industries, but oil and gas has been fathomed ahead of other sectors in terms of both time, maturity, and budget. “Not to say it is entirely secure, it is not, but there has been a general amount of awareness and some investment for nearly two decades – hopefully this proves effective.” 

“But, when compared to Europe, and depending on the sector, we suspect that it’s less of a question of can Canadian critical infrastructure recover, but instead, whether society is ready for significant disruptions and events, or when multiple events collide and create cascading results,” according to Brash. “Thankfully, Petrocan in this case was just one of the major suppliers of refined product, was not a pipeline, it was summer, there was minimal/nonexistent panic, and was not the sole large-scale employer, unlike pulp-mills in remote regions.”

Hamilton said that neither Canadian nor U.S. infrastructure – especially those involving industrial control systems for energy, water, etc. – are very well hardened or monitored for signs that preventive controls have failed.

As the executives look ahead, they focused on determining the next steps for the critical infrastructure sector.

“These attacks further highlight the desire to target critical infrastructure,” Pace said. “Next steps here should include but not be limited to increased visibility, compliance requirements, and budgetary increases due to the very real-world impact that these types of attacks can have on society as a whole.”

Fabela said that any cyber event, whether a direct APT (advanced persistent threat) attack or opportunistic ransomware, that affects critical infrastructure operations should be taken seriously and as a recipe for what’s ahead. 

“The prevalence of ransomware targeting remote access services like with Colonial Pipeline or exposed vulnerable technologies such as MoveIT is only going to continue to have a secondary impact on the safe and reliable operations of critical systems,” Fabela added. “Regardless of the severity of eventual impacts, this continues to be a concern for not just the US, but critical infrastructure organizations around the world.” 

He advises creating plans around incident response, implementing technologies that support visibility and zero trust architectures, and taking those first concrete steps into preventing future attacks instead of waiting for them to strike close to home.

Brash said that from a realist perspective, “this was a business as usual type event, and highlights the need to be able to recover and operate simultaneously. Depending on the assets affected, this may result in payment processing/PCI changes or general cybersecurity laws/procedures in regard to reporting, but I am highly doubtful the consequences of this event will result in change unless shareholders take a keen interest and force investment,” he added.

“I expect that NERC will take another pass at the critical infrastructure protection standards for energy generation and distribution, and address more of the ICS/OT issues such as monitoring those environments,” Hamilton said. “This may include a relaxation of the ‘electronic security perimeter’ to allow those environments to be continuously monitored by third parties.”

Hamilton concluded by saying that he also expects a doubling down on the federal government’s ‘secure by default’ initiative, emphasizing PLCs, RTUs, remote telemetry, and industrial Internet of Things products.