As the utility sector becomes more digitized, it also becomes more vulnerable to cybersecurity threats. Over the last five years, utility companies have adopted new software to control operational technology (OT), moved towards technology-heavy green energy sources like wind and solar, and made large investments in big data, cloud computing and IoT. All of these changes have increased their attack surface and exposed critical infrastructure to cyberattacks. In fact, recent research from industrial control system (ICS) security firm Dragos shows that more than a third of the hacking groups it tracks (which typically focus on critical infrastructure and ICS) are targeting vulnerabilities in the electric sector in North America. As a result, utility companies and their partners are putting more resources into understanding these cyber risks and how to defend against them.
A recent report from Siemens and the Ponemon Institute examines three key areas related to this threat: 1) the cyber risks facing utility companies and what kind of damage they could cause, 2) the overall readiness of the industry to meet those risks, and 3) the most effective solutions to counter them. The study surveyed a range of utility professionals responsible for securing or overseeing Operational Technologies (OT) assets and compiled the results. Here’s what they found.
54 Percent of Utility Executives Expect Attacks on Critical Infrastructure
Siemens and Ponemon’s research found that OT was at a higher risk of cyberattack than IT. Past attacks primarily targeted IT systems to steal data, but current and future attacks will also attempt to hijack control systems and logic controllers that operate critical infrastructure. The increasing use of software in OT – like software-managed gas turbines and brownfield engine exchanges – has created a larger attack surface for hackers to exploit. As a matter of fact, 54 percent of respondents expect at least one cyberattack on critical infrastructure within the next year, and a slightly larger majority reported experiences with a shutdown or loss of operational data annually. Interestingly enough, the majority surveyed believe that cyberattacks were more likely to results from an insider threat than an outside attacker.
The IT security issue hasn’t gone away either – utility customers have large amounts of valuable customer data including credit card information and home addresses they must protect. Keeping this data secure amidst the web of contractors and third parties that need to access it is hard enough. Add on the growing risk from OT and utilities face a formidable task indeed.
From a network security perspective, OT systems at utilities have several major issues. First, operational technology is often left in place for 10-20 years and is quite difficult to upgrade or patch. Any software vulnerabilities in these systems will likely remain open and exploitable for several years. Pair this with the influx of new technologies (often rolled out to increase productivity with minimal attention paid to their security) creates many potential vulnerabilities for attackers to exploit. Second, the size of utility company networks, with dozens of remote sites sending data back and forth from a central HQ via multiple sub-networks, makes it nearly impossible to find traffic that indicates malicious activity without specialized tools. There is simply too much data.
Many experts in the infosec community believe that cyberattacks on ICS controllers will increase in 2020 for two reasons. First, ICS ransomware is on the rise. Consider the high-profile ICS attack that cost Norwegian aluminum manufacturer Norsk Hydro $58-$69 million USD in the first half of 2019, the Snake ransomware believed to be linked to Iran, or the Ryuk ransomware that targeted several oil and gas manufacturers in early 2020. Second, utilities are a prime target for hostile nation-state actors trying to sow chaos. We have already seen malware like NotPetya or WannaCry that’s been attributed to nation-state hackers (or made using tools leaked from nation-states). Utilities will be targeted with advanced malware in the near future – the question is if they are ready to defend against it.
Readiness Among Utilities is Uneven
While some utility companies surveyed in the Siemens/Ponemon report felt they were highly prepared for a breach, many did not. Overall, 42 percent of respondents rated their cyber readiness as high and 31 percent rated their ability to contain a breach as high. Smaller organizations were less confident in their security preparedness than large ones. Significantly, most respondents rated their ability to inventory their digital assets as low. There are many reasons for this deficit of preparation including lack of visibility into networks, lack of training and qualified personnel, slow response to security incidents, and an incorrect belief that security for IT assets would also protect OT assets.
The best way for utilities to improve their cyber readiness is to plan ahead for cyber incidents and create procedures for how to respond to them. These should include both proactive and reactive elements to reduce risk of cyberattacks, and what steps to take when an attack occurs.
Keep Up With the Tech, Detect Attacks and Respond
The report provides some guidance for improving security protections. Recommendations include getting better visibility into OT systems, hiring or training employees in cybersecurity to improve expertise understanding the complexity of their technology, and making security improvements an ongoing process.
It’s difficult to provide meaningful security on a network when operators can’t see all of the systems operating on that network. Utilities may have multiple networks, or sub-networks with different systems running on each, all at different levels of security. Getting full visibility into this tangled network web should be a high priority for all utility companies. This allows them to determine their baseline security and identify areas that need to be improved. It’s also important for utilities to harden all of their OT systems from an attack, but without detailed visibility into their network they won’t know which system need to be hardened – or if certain systems even exist at all. Getting better network visibility and doing a full security audit of all connected systems should be priority #1 for utilities that want to improve their readiness.
AI and big data analysis are reportedly used by 18 percent of utility organizations in the Siemens/Ponemon survey to monitor operations and recognize threats. This is a promising development. Often an IDS will generate so many security alerts that it’s impossible for a team of analysts to respond to them all. Having a system that can automatically take remediation actions can significantly improve an organization’s security. AI can also assist in detecting obfuscated threats that won’t be caught by signature-based antivirus.
All in all, cybersecurity for utilities is a major challenge. Utilities will almost certainly face an increase in advanced cyberattacks targeting OT technology over the coming years, and they vary widely in their level of preparedness. But improvement is possible. Utilities can greatly mitigate their risk by getting more granular visibility into their networks, creating proactive security incident plans, and staying up to date on security technology that can protect their OT assets.
At Bricata, we provide the critical network visibility and context that many utility companies lack. Our solution uses high-fidelity metadata and packet capture to see everything happening on a network. This visibility and contextual awareness combined with our threat detection, threat hunting and post-detection response capabilities in a single, integrated platform can speed up incident response by over 800%. Read more about how Bricata can improve your network visibility, or schedule a demo to see our solution in action.
If you enjoyed this post, you might also like:
- Cliff Notes to 5 Studies about the State of Cybersecurity in Healthcare
- 5 Emerging Vectors of Attack and Recommendations for Mitigating the Risks
- Practical Tips Leaders Can Use to Build a Culture of Cybersecurity