Why ‘secure’ isn’t secure enough in the utilities sector
Cybersecurity of critical energy infrastructure is a growing concern because the industry is experiencing a significant overhaul as grids, power, water and gas become increasingly smart and automated. For utility companies, the consequences of inadequate cybersecurity include service and grid outages affecting thousands of customers, if not more. The “fourth industrial revolution,” if you will, demands major changes in the utilities sector’s technology deployments.
As awareness of this trend grows, federal governments insist that measures be enacted not just for companies that own and operate public utilities, but also for local, state and federal regulators tasked with ensuring the safety and reliability of critical services. Because of these factors, in early 2016, the Federal Energy Regulatory Commission (FERC) updated cybersecurity standards for U.S. electric utilities, a proactive effort to combat cybercrime.
Vulnerabilities abound
Transformative Initiatives – Decentralization (distribution and generation), automation and digitization enable unprecedented system-wide visibility and control for utilities operators, but open a myriad of entry points for hackers to exploit.
Mobility – Vehicle-to-infrastructure communications require vehicles to communicate with the power grid, widely expanding the attack surface.
Distribution – The shift towards incorporating more distributed energy resources in the last decade and embracing an energy cloud fed by varied generators such as wind, solar, tidal, nuclear, coal and gas creates many points of entry, expanding vulnerabilities within the grid.
Smart Metering – Power distributors are moving to this more efficient pay-as-you-use model, which can be installed in nearly any location that uses power – home, business or other. These vulnerable entry points exponentially increase attack surfaces.
The challenges related to systemic transition — disruptive technologies creating multiple new entry points — showcase the difficulty utility companies must face to thoroughly secure themselves. As a result, by the end of 2017, the industry is forecasted to invest $1B-$7B in protecting energy systems against cyber-attacks.
Whatever you do, don’t stop modernization – IT and OT infrastructure
Integrating information technology (IT) and operational technology (OT), two previously segregated systems, may increase cybersecurity risk, but the continued modernization of these technologies facilitates better cybersecurity posture. As technology and market factors make it simply unrealistic to keep IT and OT separated moving forward, the most vulnerable entry points remain the endpoints — router ports, workstations, integrated access devices — because they are often overlooked and unsecured. Threats aimed at utilities are typically characterized by attacks coming from the IT towards the OT, from the OT to the IT and sometimes in the middle communications layer.
Threats coming from the IT towards the OT
An instance that took the path from IT to OT occurred this year in Ukraine, where attackers succeeded in taking control of workers’ workstations via their credentials and access allowances to freeze control panels, disrupt Supervisory Control and Data Acquisition (SCADA) and control stations, block customer calls towards emergency centers and more.
Man-in-the-Middle attacks
Breaches and operation disruptions can be caused via physical “tapping” on the communications optical, wireless and copper infrastructure. This method was used by attackers to infiltrate consumer credit agency Equifax on several occasions, causing a breach of at least 15 million customers’ credit and personal data, and a data leak of several third-party mobile apps used by the company for its customer services. These types of attacks can be prevented by implementing sophisticated encryption to secure communications traffic from Layer 1 up to Layer 7.
Threats coming from inside the OT
A notable recent attack that fits this attack path affected the San Francisco Municipal Transportation Agency (SFMTA). In this case, the agency’s ticket kiosks along the operational stations were targeted, disrupting billing operations for more than 24 hours and introducing malware intended to eventually disrupt the actual control and traffic of the entire system. Such attacks are also called Zero-Day-Attacks because they are typically performed by malware or worms never before tracked or identified. The best response to this type of attack is to utilize SCADA Deep Packet Inspection or Anomaly Detection tools.