Critical infrastructures have faced a barrage of cyberthreats in recent years, and operators now recognize that future attacks are a matter of 'if' rather than 'when'. According to a Siemens and the Ponemon Institute utility survey in 2019, 56% of the utilities network operators worldwide, reported at least one shutdown or operational data loss per year and 54% expected an attack in the coming year, too. All types of utilities are vulnerable to these threats. While recent large-scale hacks have targeted water plants like the one in Oldsmar, Florida and the Metropolitan Water District of Southern California, and oil infrastructures like the Colonial Pipeline, electric utilities have taken a big hit, too: up to a quarter of North American electric utilities were affected by the massive SolarWinds hack from last year, according to the North American Electric Reliability Corp (NERC), a non-profit industry regulator.
Threat Origins and Opportunities
Given the potential devastation that a downed grid can cause, it’s easy to see why hackers are inclined to attack electrical utilities. “Everything goes down if you don’t have power: the financial sector, refineries, water,” said Christopher Painter, formerly the Obama administration’s highest ranking cyber official. “The grid underlies the rest of the country’s critical infrastructure.” These threats can originate from outsiders or supply chain sources, but insider attacks can be particularly pernicious because many utilities still deploy perimeter-based security postures that grant automatic authentication to insiders. This sort of implicit trust is a major vulnerability, especially as the IT/OT convergence proliferates and remote insider access to devices expands.
While the recent IT connectivity of both legacy and newly introduced OT devices like smart meters has streamlined operations for electric utilities, there is a downside to deploying so many networked devices: each connected device represents another potential target for cybercriminals intent on intrusion, persistence, and manipulation of the systems to which the devices belong. In fact, the IBM X-Force Threat Intelligence Report Index 2020 reported a staggering 2000 percent increase in incidents targeting OT environments. With this in mind, decision makers for electric utilities are likely wondering what can be done to protect their systems.
What Can Be Done to Safeguard Electrical Utility Systems?
On a practical level, utilities must future-proof their vulnerable IoT and IIoT devices such as smart meters and control systems with Zero Trust device-level protection that can prevent unauthorized modification to critical code and data, thereby preventing persistency. Zero Trust is a security philosophy built on the idea that organizations must not automatically trust anyone or anything at all, addressing and eliminating the implicit trust that perimeter-based postures used to grant.
Under a Zero Trust approach, all users, even those inside the organization’s enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted access to applications and data. One way of implementing a Zero Trust approach in practice is to introduce an embedded gatekeeper into each edge device’s memory that will prevent outsider, insider, and supply chain threats by automatically rejecting all changes unauthenticated by a trusted external server. This sort of device-level Zero Trust for critical infrastructure control systems will protect electricity utilities from attacks like the Colonial Pipeline incident.
Governments are recognizing this, and following a recent memo on the subject from US President Joe Biden, over 150 electricity utilities have signed on to deploy new security technologies for their control systems. Smaller electricity utilities who may not have scaled their cybersecurity spend yet would be wise to follow suit, as they are more vulnerable than larger, more sprawling power providers with significant resources at their disposal. This rural Alabama electric utility hit with a ransomware attack in early July 2021 is a useful example of this kind of smaller scale target, as is the Oldsmar water plant.
Conclusion
As a result of the IT/OT convergence, lagging security upgrades, insufficient authorization protocols, and a vast (albeit variable) potential for damage or financial gain, electric utilities will remain increasingly vulnerable to sophisticated cyberattacks. To protect their businesses, reputations, and communities, these utilities must enact measures to preserve business continuity if and when they are attacked, an ever-evolving process that begins by embracing a Zero Trust attitude.
