By Hunter Donahue
The growing number of cyber-attacks against both public and private utilities in recent years has led to increasing concern for one of the globe’s most critical sectors. Due in large part to the complex nature behind the infrastructure that provides basic amenities such as clean water, sewage services, natural gas, electricity, and more, utility providers have quickly found themselves in the crosshairs of malicious actors. Utility companies and threat actors alike are seeing the immense impact that a security incident can cause, and how unprepared some utility companies can be. In this blog we will cover some of the biggest issues that are affecting the utility sector, and how companies can begin to mitigate the risk associated with inadequate cyber defenses.
#1- Legacy Systems
Many of the leading utility companies have a long history in the business. To build upon the hard work these companies put into constructing their highly engineered networks, distribution centers, power grids, control systems, and communication technologies, some modernization needs to occur. For many utility companies, key assets are outdated unprotected from the ever-evolving threats posed by today’s interconnected world and cybersecurity landscape.
It’s understood that updating many of these technologies is a lengthy, sophisticated, and costly process, but a process that must be accomplished nonetheless. Leaving legacy systems vulnerable to known security flaws is an outright invitation for cyber criminals to attack critical company resources and disrupt the continuity of these vital services. Some solutions that can assist in protecting these assets are in utilizing the right security controls and segmenting off fragile and vulnerable portions of networks to minimize the scope of potential damage. Additionally, by integrating security monitoring software, utility companies can catch malicious actors in the less fortified parts of their systems and mitigate the risks and damages caused.
#2- Extensive Attack Surface
From physical security considerations to the technologies powering industrial control systems, the scope of the utility sector’s attack surface cannot be understated. There is significant variance in the implementation of both physical and non-physical security measures across different locations, even within the same company. This is in large part due to the geographic sprawl of the utility sector, and the requirement for physical locations to be dispersed into localities and thus, led by local management.
The reach of impact that a security incident can cause is closely tied to how the utility company manages their physical security and how they have designed their infrastructure. When a specific location or physical asset is compromised, malicious actors may be able to leverage the location or asset’s vulnerabilities to cause immediate and devastating damage to the surrounding area. This can be achieved through remote access, the introduction of malware through a local/vulnerable location, or pivoting through a trusted communication path in the organization’s corporate networks. Furthermore, the nature of the utility sector leads to many personnel being one or two steps away from having the privileges needed to access key assets that can be easily compromised if human error occurs or insufficient security practices are in place.
The minimization of this attack surface can be dealt with through the implementation of new policies, regular personnel training, enforcing physical asset management (i.e. isolating servers in secure rooms and site access control), and improved oversight and/or regulation of security management. Additionally, the Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector by the Idaho National Laboratory recommends that “...utilities perform system assessments to minimize the attack surface of generation facilities and identify potential attack vectors available to threat actors.”
#3- Increase in Threat Actor Activity
Unsurprisingly, the utility sector is facing a clear increase in cyber-attacks. Between the rapid modernization of the critical technologies that drive utility services and an emergence into new, distributed markets such as wind and solar, malicious actors are salivating over the potential to inflict catastrophic harm. In fact, a recent survey by WeForum found that 54% of companies are expecting to experience an operational technology (OT) attack in the next 12 months. As other sectors such as healthcare and finance are routinely targeted, they have developed thorough risks mitigation and incident response plan. Those in the utilities sector should work to follow the lead of healthcare and finance sectors and adopt similar measures to defend themselves against cybercrime.
The utilities sector is in the midst of a perfect storm. Just as the industry is modernizing equipment to stay relevant in the digital age, preparing for a more distributed energy landscape and protecting customers against disruptions, malicious actors are targeting it with an increased fervor. Making investments into cybersecurity and creating the policies and procedures necessary are key to mitigating the risk associated with these issues and providing a better and safer environment for the companies to grow and thrive.