Navigating Cyber Risk and Security for Utilities

electric utility cyber securityCybersecurity poses a growing challenge for the power industry. As energy providers embrace connected technology to reduce costs and improve efficiency, it also exposes them to serious risks. According to the U.S. Department of Energy, utilities have seen a steady rise in cyber attacks. And the threat is ever evolving.

The most far-reaching attack yet was revealed this past December. According to SEC disclosures, hackers embedded malware in software updates from SolarWinds used by up to 30,000 clients — including more than a dozen critical infrastructure companies in the electric, oil and gas industries.

“The nation’s power system is more secure, but the sophistication of threats consistently outpaces our readiness to address them,” says Kevin Peterson, security architect at Tempered. “Vulnerabilities will inevitably increase as the sector becomes more reliant on technology and networking. Today, ICS (industrial control system) and SCADA (supervisory control and data acquisition) networks are converging. New pathways become conduits for movement in both directions.”

Key challenges in securing critical infrastructure

The growing adoption of digital technologies — including smart meters, programmable logic controllers (PLCs), the Internet of things (IoT) and more — presents hurdles both in terms of the number of connected assets, and in how they’re built and managed.

“The digitization of critical infrastructure equipment gives would-be attackers a greater attack surface,” says Katie Teitler, senior analyst at TAG Cyber. “Operational technology can’t always be managed, measured or monitored with traditional informational technology (IT) or security tooling. The interdependence between physical and digital infrastructure makes energy infrastructure uniquely challenging to secure.”

“Automation is a necessary component of industrial technology,” says Jim Guinn, global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture. “But new products are engineered for usability first. Security comes on the back end. That requires strategies for testing the vulnerabilities of these devices. When you’re dealing with physical infrastructure, utilities refer to it as soaking the device, making sure it can withstand the elements. You need to do the exact same thing from a security standpoint.”

“Advanced persistent threats utilizing botnets, distributed denial of service attacks and social engineering are likely to target IoT within utilities themselves,” says Peterson. “But they’ll also focus on the supply chain and original equipment manufacturers, both of which use automation and IoT. Threat actors will exploit the gap between risks imposed by IoT and an organization’s readiness to address them.”

“The real question is: How much can you invest in protecting your most critical assets?” says Guinn. “No one has an endless cash supply. There’s no money tree to build the world’s most resilient system. You can’t protect everything. Every company has to prioritize what’s most important and determine how to best manage the risks.”

How cybersecurity strategies have shifted

Facing new attack vectors such as ICS hardware, specialized devices and firmware updates, utilities are adapting their strategies in response.

“Mitigating risk requires more than just tuning firewalls and buying additional point security products,” says Peterson. “It includes establishing policies and procedures, training staff and building on a fundamental zero-trust infrastructure that allows organizations to achieve segmented and highly resilient systems.”

“Today it’s all about a risk- and data-driven approach to cyber security,” says Teitler. “This assumes a dedication to understanding the totality of assets and exposures within a network infrastructure: its threat vectors, external attack patterns, internal telemetry, correlations between the two, how the supply chain affects security posture, and how utilities can cope with a cyber attack in terms of resiliency. Proactive measures to prevent attacks are important, resilience and recovery equally so.”

“If the chief information security officer isn’t constantly evolving strategies based on tactics, techniques and procedures of known threat actors, they’re probably missing a beat,” says Guinn. “You need to gather intelligence on what your specific adversaries are targeting and adjust your strategies to mitigate that threat. You can’t block everything from everybody.”

“Adversaries are constantly modifying their tactics,” says Peterson. “We need to follow a strategy that proactively prevents this changing threat landscape from penetrating our critical networks. The challenge is in adopting a new mindset and method for how we build secure networks — not applying network security after the fact.”

utility cyber securityAssessing, measuring and monitoring risk

Effectively managing cybersecurity risks call for proven methods to evaluate and improve security performance.

“Risk is always related to vulnerability plus imminent threat times asset criticality,” says Teitler. “Utilities need to know what assets they have in their environments, how they’re used, the impact on the business if they’re unavailable or exploited. Then they have to look at their security posture from a vulnerability standpoint: Where are weaknesses in systems and processes? How could a threat actor exploit them? Finally, there’s an understanding of the threat. Not all threats are created equal, and not all threats turn into risks. Contextualizing the threat is very important.”

“An integrated approach is needed to connect the security risk elements to business challenges in a practical way,” says Peterson. “Through a strong governance program, utilities can mandate an architecture of technologies, along with a catalog of formalized processes and required skillsets.”

“The National Institute of Standards and Technology has developed a cybersecurity framework to provide a foundation for best practices,” says Guinn. “Utilities should be testing themselves against established standards and guidelines on a quarterly basis for at least 36 months. Consistent measurement is the best way to identify where you’re behind and see forward progress.”

Steps to improve cybersecurity now

While no utility can possibly anticipate and prevent every possible threat, a proactive approach is the best protection against cyber attacks.

“The first step is always understanding and managing risk,” says Teitler. “This may seem more reactive than proactive. But most enterprises have room to improve in this area. Following industry-specific compliance such as the NERC (North American Electric Reliability Corporation) critical infrastructure protection standards can also help utilities figure out where they need to improve first, and how they can build on that.”

“Almost all successful attacks rely on negligence, user error or oversight gaps,” says Peterson. “Utilities can mitigate these by sticking to best practice access control policies and concepts. Cybersecurity strategies should follow an incremental approach — initially aiming at high-impact, low-cost steps. Identify assets and start with segmentation and zero-trust policy controls based on workflows or functions. This isn’t as daunting as it sounds. We now have technologies designed with the unique challenges of ICS networks in mind.”

“Utilities should focus on three things,” says Guinn. “First, threat intelligence. The better you know where attacks are coming from, the better you can prepare for them. Second, testing. Conduct ongoing exercises simulating potential attackers. It’s the only way to identify vulnerabilities. Third, threat hunting — actively searching networks to identify security threats. Do those three well, and you’ll be a step ahead.”

Featured in this article:

Join thousands of industry peers who receive utility construction industry news and trends each week. Subscribe to The Utility Expo Newsletter