With Critical Infrastructure Security, Don’t Let Your Guard Down
Cybersecurity of critical energy infrastructure is a growing concern as the industry experiences a significant overhaul with grids, power, water and gas becoming increasingly smart and automated. For utility companies, the consequences of inadequate cyber security include service and grid outages affecting thousands of customers, if not more. The “fourth industrial revolution,” demands major changes in the utilities sector’s technology deployments.
As awareness of this trend grows, federal governments insist that measures be enacted not just for companies that own and operate public utilities, but also for local and federal regulators tasked with ensuring the safety and reliability of critical services. Continued attacks to Ukraine’s infrastructure over a number of years demonstrated to a global audience how attackers were able gain access to ICS networks with multiple tactics, from malware to phishing. Now in 2018, the list of countries who have fallen victim to similar incidents has grown. Because of these factors, many federal and regional agencies have updated cybe rsecurity standards for power and electric utilities, a proactive effort to combat cyber crime
- Transformative Initiatives - Decentralization (distribution and generation), automation and digitization enable unprecedented system-wide visibility and control for utilities operators, but open a myriad of entry points for hackers to exploit.
- Mobility - Vehicle to infrastructure communications require vehicles to communicate with the power grid, widely expanding the attack surface.
- Distribution - The shift toward incorporating more distributed energy resources in the last decade and embracing an energy cloud fed by varied generators such as wind, solar, tidal, nuclear, coal and gas creates many points of entry, expanding vulnerabilities within the grid.
- Smart Metering - Power distributors are moving to this more efficient pay-as-you-use model, which can be installed in almost any location that uses power - home, business or other. These vulnerable entry points exponentially increase attack surfaces.
The challenges related to systemic transition – disruptive technologies creating multiple new entry points - showcase the difficulty utility companies face to thoroughly secure themselves. As a result, the industry is forecasted to increase its spending from $1.8 billion in 2017 to nearly $3.2 billion by 2026 to protect energy systems against cyber-attacks
Whatever you do, don’t stop modernization - IT and OT infrastructure
Integrating IT and OT, two previously segregated systems, may increase cyber security risk, but the continued modernization of these technologies facilitates better cyber security posture. As technology and market factors make it unrealistic to keep IT and OT separated moving forward, the most vulnerable entry points remain the endpoints - router ports, workstations, IADs - because they are often overlooked and unsecured. Threats aimed at utilities are typically characterized by attacks coming from the IT toward the OT, from the OT to the IT and sometimes in the middle communications layer.
Threats coming from the IT towards the OT
An instance that took the path from IT to OT occurred this year in Ukraine, where attackers succeeded in taking control of workers’ workstations via their credentials and access allowances to freeze control panels, disrupt SCADA and control stations, block customers calls toward emergency center and more.
Man-in-the Middle attacks
Breaches and operation disruptions can be caused via physical “tapping” on the communications optical, wireless and copper infrastructure. This method was used by attackers to infiltrate consumer credit agency Equifax, on several occasions, causing a leak of at least 15 million customers’ credit and personal data, and a data leak of several third-party mobile apps used by the company for its customer services. These types of attacks can be prevented by implementing sophisticated encryption to secure communications traffic from Layer 1 up to Layer 7.
Threats coming from inside the OT
A notable attack that fits this path affected the transportation arm of a major metropolitan city. In this case, the agency’s ticket kiosks along the operational stations were targeted, disrupting billing operations for more than 24 hours and introducing malware intended to disrupt the actual control and traffic of the entire system. Such attacks are also called Zero-Day-Attacks because they are typically performed by malware or worms never before tracked or identified. The best response to this type of attack is to utilize SCADA DPI or Anomaly Detection tools.
The solution is secure, but not simple
As utilities discover they have already been targeted or attacked, they are racing to implement regulatory recommendations strategically developed based on past threats and attacks. Nevertheless, these security precautions, however necessary, involve expensive and sophisticated tools, services and policies, demanding long-term budget planning and allocation.
A healthy cyber security approach isn't limited to one or a few parts of the company, such as IT departments, and adherence to self-decided standards, rules and practices must be both a top-down and a bottom-up responsibility flow. Your security solution must be complementary to all current security approaches and will ultimately fail without company-wide awareness and implementation of practices and procedures.
To protect OT, you should use your communications layer - the highway all services and applications run along - to more easily secure networks and systems. Since this layer connects the utility company network to the outside world, it’s the most vulnerable to, and most often used for, attacks by cyber criminals. At the same time, it’s a part of the network that cyber security solutions providers often overlook.
A reliable solution, therefore, must protect on a constant basis from threat actors attempting to carry out a variety of attacks, such as those originating from IT and aimed at the OT; originating in the OT and targeting networks affecting SCADA; or attacks where the hacker infiltrates the fiber network.
Unique Utilities Need Unique Solutions
Utilities have a steep learning curve when it comes to cyber security and have learned some crucial lessons in recent years. One of the most important findings is that cyber-attacks are increasingly executed not by individuals or small groups, but by governments and large entities or “state actors,” who deploy massive resources and skills to be successful, with critical infrastructure as a major target.
They are also learning that cyber-attacks are not exclusive to the new IP, TCP/IP-based infrastructure, but have also happened in the “considered-secure” legacy infrastructure as well, including TDM, SDH, SONET and old SCADA and PLC systems. A short “trip”, or search, on the “dark-web” will reveal hacker tools available for use against all types of devices, legacy and next generation.
As a result of recent regulations, most utilities now perform routine threat analysis scenarios and consultations, and as well as intensive staff training on data and cyber security practices, using the recommendations as a framework. Based the outcomes of the threat analyses, new cyber security elements are introduced both in the IT and on the OT networks and systems, such as: SCADA aware Firewall, Access Control systems, smart CCTV systems, Detection and Prevention tools and systems, new policies and encryption on sensitive data and connectivity.
For many in the utilities sector, they may have never imagined that cyber security would be one of the major concerns and important investments of the 21st century. But as the industry evolves key aspects of its technological foundation, and vulnerabilities thereby multiply, a whole new world of cyber crime opens to the world of critical energy infrastructure. It’s essential to the ongoing success of utility companies that they invest in a comprehensive cyber security approach that considers both protecting the communication layer and complementary physical security measures.