Cybersecurity concerns continue to be one of the fastest growing threats facing society, much less those tasked with enterprise risk management. Critical infrastructure is of particular interest to many bad actors in this space, from those looking for a quick payday to terrorists and even state-sponsored espionage. Public utilities, in particular, have shown that they face many unique cyber threats.
Cybersecurity in the Utilities Industry
So why is cybersecurity so different in the utilities industry? There are several reasons, but the biggest two are the target's attractiveness that they present to many different attackers and the large attack surface available due to the nature of their business. Three major groups are of significant concern to cybersecurity and risk management professionals charged with securing the public utility sector:
- Nation-state espionage: focused on disrupting or damaging infrastructural and other societal targets
- Fraud-based cybercriminals: seizing the same societal impact concerns for wholly financial gain
- Hacktivists: terrorist groups making political statements by targeting specific types of utility companies such as those dealing in fossil fuels
As technology continues to advance and industrial operations become ever more reliant on it, the attack surface continues to broaden. Operational technology has expanded to include industrial control systems, smart meters on businesses and residences, and more, while IT holds responsibility for securing data on employees, customers, and the business in general, as well as payment processing and network security.
Governmental utility boards have shown a reluctance to approve rate increases without specific details on spending, and the necessary expenses to upgrade systems and provide protection from cyber-attacks can prove substantial. There is also the fact that many municipalities in the United States provide utility services in place of larger private corporations, and they are woefully under-prepared to face this growing threat and frequently lack the subject matter experts necessary even to do the cybersecurity work in the first place.
Cyber Attack Successes in the Energy Sector
In 2015, a Ukrainian electrical supplier had its systems remotely hacked, negatively affecting the power supply to nearly a quarter of a million people. Independent analysis of the cyber intrusion showed that access was gained to the utility service through their OT systems. This was the first confirmed case of an OT system compromise in a country’s critical infrastructure.
In 2017, Symantec revealed that 20 energy providers had been the subject of cyber attacks that had successfully breached their networks. In 5 of those instances, the attackers gained control over the physical operations capabilities of those provided. Now, no power outages or damages were reported due to those attacks where control was gained; however, the possibilities are endless. The attackers proved that, even with the importance of cybersecurity at the forefront of both the minds of the government and utility owners and operators, there were still massive vulnerabilities.
In 2021, cybercriminals used the DarkSide ransomware to attack the Colonial Pipeline Company, which resulted in the proactive closure of the Colonial Pipeline for 6 days. The company eventually paid the ransom to regain access to its systems, but this illustrates the difficult nature of cybersecurity within the energy sector. Corporations rely on many third parties spread across an often widespread geographical area to obtain, transport, refine, process, and deliver fuels and energy to customers. A single disruption along that chain can have devastating effects on a region's power grid.
Using Lessons Learned
Looking at other high-risk industries like banking and government, we can extrapolate and adopt some best practices to apply within the public utility space. Critical infrastructure is critical for a reason, and attackers with many different goals can target any weak link in the supply chain with significant impact. Lessons learned from protecting similar high-risk targets show us some of the best ways forward for the energy sector.
Cultivate Intelligence on Actors and Threats
We must move beyond the thought of risk management and cybersecurity in the utilities industry as a defensive and reactive-only posture. The sheer variety of potential threats across such a large attack surface means that executives must foster a proactive, intelligence-driven cybersecurity approach to provide the best opportunity to thwart inbound attacks. This includes active monitoring of both attack trends and potential attackers or increases in attack chatter.
Reduce Gaps in Awareness
Increasing communication across all silos of your enterprise and creating a culture where there are easily accessible avenues to report security vulnerabilities or developing incidents is a major step towards reducing the gaps in your awareness level. Cybersecurity and managing cyber risk should not be solely the purview of IT or risk management personnel but something at the forefront of the best minds in your organization across all areas of responsibility.
Industry-wide Collaborative Efforts
Continuing with the communication theme, the entire utility industry is best protected when natural gas, power companies, and other critical infrastructure owners and operators work together to share information on cyber threats. While competition is the hallmark of a prospering economy, protecting the security of the power grid goes beyond the bounds of corporate secrecy and is in the best interests of all within the sector.
Key Steps to Better Secure Our Energy Sector
The U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has developed several cybersecurity preparedness programs to further the partnership between the private energy sector and the government. This approach is critical to improving standards for cybersecurity in the utilities industry and provides a starting point for all utilities to find some key best practices to incorporate into their risk management procedures.
Cyber Risk Information Sharing
The DOE’s Cybersecurity Risk Information Sharing Program (CRISP) is a step further than the industry-wide information sharing we recommended earlier. CRISP is funded jointly by the government and industry partners, and its purpose is to further the sharing of classified and unclassified threats against the sector.
Another goal is to develop and disseminate assessment tools to further the protection of this critical infrastructure. Currently, CRISP members comprise 75% of the total energy providers in the U.S., and if your enterprise isn’t one of them, then it is something that they should seriously consider.
Risk Analysis Guidelines and Tools
Another brainchild of the DOE and CESER is the Cybersecurity Capability Maturity Model. The applicable NIST framework for reducing cybersecurity vulnerability in the energy sector is something that all providers should already be familiar with, and this model pairs directly with that framework. This evaluation of the risk assessment tools and their effectiveness within the guidelines ensures that you do your due diligence in mitigating the significant threat profile.
A major benefit of this model is that it is not only for use in the energy sector. CESER has developed and released industry-specific models for both the oil and natural gas sectors, and they have also released a generic cybersecurity model as well.
Apply the Cybersecurity Risk Management Process
While this tip deals specifically with the electricity generation and distribution subsector, it stands to reason that you can adapt these principles to any industry within the public utility domain with a little creativity. NIST, DOE, and the North American Electric Reliability Corporation jointly developed the Risk Management Program guideline with the idea that cybersecurity risk mitigation is a central component of organizational success. This program ensures that proper decision-making is followed to allocate resources appropriately to secure operational technology, mitigate risk, and effectively respond to detected cyber risks and incidents.
Upgrade or Better Secure Industrial Control Systems
The nature of the U.S. power grid is that a significant portion relies on the generation capabilities of natural gas. Many of the industrial control systems in use were manufactured and deployed decades ago, and they simply are not capable of continuous monitoring for inbound threats and other vulnerabilities. Purchase and use of listen-only devices to monitor these threats are an effective method to limit that exposure as long as personnel actively monitor them. Upgrades should be heavily considered whenever possible for the most vulnerable control systems.
As more modern generation techniques are put into places like wind turbine farms and solar fields, the control systems used tend to be inherently more modern, but the utility companies are not the large, experience energy corporations with a solid grasp on cybersecurity fundamentals. Newer, smaller enterprises with a much tighter profit margin may be enticed to skimp on cybersecurity protections as a cost savings measure that leaves them open to bad actors.
Whether you are a proven leader in the public utility field or a green energy start-up, Venture Lynk Risk Management can provide you with various risk management services. From vendor risk assessments to vendor cybersecurity reports and even active daily cyber risk monitoring, our team of cybersecurity subject matter experts can develop a custom plan for your specific circumstances.