How to Prevent a Utility Hack
Everyday, hackers, both skilled and unskilled, as well as opportunistic or organized, are increasingly taking aim at America’s critical energy infrastructure. They steal confidential information and invade control systems. And, despite years of warnings and crippling attacks, this country’s network of pipelines, electric grids and power plants remains highly vulnerable.
A report from IBM found that the energy industry was the third most targeted sector for attacks, behind only finance and manufacturing. The greatest challenge facing our energy infrastructure is the crucial need to protect systems against internal and external forces.
In February 2020, the U.S. Department of Homeland Security issued an alert about a ransomware attack that brought down a U.S. natural gas compressor facility for two days. The incident was entirely preventable – the hackers had simply sent out phishing emails with a malicious link. With an employee’s single click on the offending link, the hackers gained control of the facility’s information technology system.
More recently, one of the largest US fuel pipelines remained paralyzed after a ransomware cyberattack forced the temporary shutdown of its operations. The incident affected fuel distribution up and down the Eastern seaboard, and created a ripple effect that spread across the country.
In another terrifying turn of events, when a water treatment facility in Oldsmar, Fla. was hacked, that city’s drinking water was nearly poisoned. The culprit, likely a former employee, took advantage of the lack of a firewall, an outdated operating system, and the fact that staff all used the same password.
Utility security is also being impacted by the industry’s transition from analogue to digital control, connected technologies such as edge and cloud computing, and the move from centralized power generation to distributed systems. As a result of these upgrades, information technologies (IT) are becoming increasingly bound to operational technologies (OT), generating new vulnerabilities and opening the door to more sophisticated and destructive attacks
With threats on the rise, utility operators are no longer confident in their ability to withstand attacks. But in today’s energy eco-system, there are steps organizations can take to stay ahead of threats.
Cybersecurity Awareness Training
Any organization’s biggest weakness is their people – in fact, over 60% of successful attacks come through phishing emails. Organizations need to have a comprehensive cybersecurity awareness training program that makes users aware of common attacks, how to identify them, and how to avoid them.
Discuss risks that are reported across the industry and look at how other organizations are responding to the threat environment. Make a complete asset inventory – both hardware and software – and uncover any gaps in the system. Generate an assessment of the organization’s capabilities and compare it to current and predicted attacks. Prioritize areas of risk and make space to adjust defenses, as security needs change over time.
Create an Incident Response Plan
All organizations should have a comprehensive incident response plan that accounts for likely attack vectors and how to identify, categorize, and respond to incidents in real time. Roles and responsibilities should be clearly laid out. The plan should be tested at least annually using different scenarios each time. Lessons learned should be recorded and the incident response plan updated accordingly.
Business Continuity and Disaster Recovery Plans
Organizations need to have a business continuity and disaster recovery plan. These plans will account for business continuing to operate and/or recover quickly in the event that the organization is breeched by a cybersecurity related incident. These plans need to account for all likely failure and restoration scenarios. Roles and responsibilities should be clearly laid out. The plan should be tested at least annually using different scenarios each time. Lessons learned should be recorded and the incident response plan updated accordingly.
Staying current with new security technologies goes a long way to reducing the risk of a breach. Remaining current includes the increasing use of digitization, as utilities that continue to upgrade can have a greater overall grasp on system conditions.
Having a long-term cybersecurity strategy will allow organizations to align both short and long-term cybersecurity objectives. Once this strategy is in place, organizations will have a clearer picture of where resources can be allocated and implemented to have the greatest impact on reduction of operational risk.
Patch and Update
The most hacker-resistant environment is the one that is carefully administered. Stay on top of patching, system/application updates, platform migrations, user administration and configuration management. These basic efforts can reduce the risk of cyber events and opportunistic attacks.
Phishing emails, infected attachments and use of simple passwords, are the number one entry point for malware into an enterprise system. By having a suite of controls on the endpoints and servers in the email environment, security teams can identify and shutdown viruses, malware, and other unwanted programs. All endpoints should also remain under management and be kept current. Understanding what threats an organization’s email controls are preventing, and what its exposures are, is an essential element of security hygiene.
Multi-factor / Multi-step Authentication
Hackers crack, intercept and disclose authentication credentials at an alarming rate. Using strong, multi-factor authentication methods and combining them with detection and alerts on failed login attempts, can provide evidence of what or who may be the focus of targeted attacks. Also, regularly refreshing staff credentials can prevent hackers from using any previously discovered logins.
Segmentation and Filtering
Limit the ability for systems to communicate across and outside the network through a combination of controls, such as firewall policies. Using proxy servers is also an opportunity for organizations to increase security. A proxy server can limit the impact of a hack and help prevent an incident from becoming a public data breach.
Least Privilege or Zero-Trust Architectures
To successfully mitigate the current cybersecurity threat environment, organizations need to implement least privilege or zero-trust architectures. Far too often organizations allow more privileges than are needed for operations for the sake of convenience. This allows far greater access and installation privileges than are necessary for business operations. Cybersecurity is not convenient. Escalated privileges need to be limited in scope to only qualified individuals and used only when necessary.
Clear Ownership of Systems
Align people, processes and technology to mitigate risk. Specific personnel should be assigned responsibility for different aspects of system security, and accountability should be transparent all the way to the C-suite.
Determine what skillsets and security improvements are needed, and then respond with the budget and resources to implement change. It’s vital that leadership allocate attention to the kind of cyber defenses, that are equal to the growing risk to utilities.
Invest in Skilled Specialists
Cyber security often requires expertise from control engineers, security specialists and network specialists. Investing in talent can change the conversation from what has happened to preventing what could happen.
Our utilities remain at great risk and a significant breach could affect millions of users, damage essential infrastructure and sow chaos. Regardless of how a breach may occur, it’s incumbent upon leaders in the utility industry to make the kinds of substantive change to networks and processes that prevents widespread catastrophe.