How Utilities Can Mitigate Cyberthreats

Digitalization is propelling utilities into a new world of technology adoption – and opening them up to new threats. Huge growth in the electrification of industry, green energy goals and evolving customer demands are pushing utilities to build a new level of resilience by leveraging IoT and machine learning for greater visibility and streamlined operations. Though effective, adding new technology layers and digital tools also widens utilities’ attack surface, making grids more vulnerable to cyberthreats.

Cyberattacks against power grids can have a devastating impact on millions of people and businesses. In 2019, more than a dozen U.S. utilities operating across 18 states were targeted when adversaries attempted to install malware on computers via phishing attempts. In the summer of 2020, the FBI put out a warning to the energy sector, noting a new hacking threat from the Russian group known as APT28, or Fancy Bear, which has used a wide range of approaches to disrupt industrial operations. These campaigns are part of a wider trend signaling that, regardless of size, utilities remain a top target for hackers.

The threat is only growing as utilities continue to digitalize. Utilities need to understand the risks at hand, how to mitigate them and what they mean for the entire business operation.

Understanding the Threats at Hand

Global cybercrime is expected to grow by 15% each year over the next five years, costing businesses $10.5 trillion annually by 2025. With the number of attacks growing, utilities need to step up their game to get ahead of incoming risks.

Distributed denial-of-service, or DDoS attacks, are the most common attacks against utilities. This is a malicious attempt to disrupt the traffic of a server or network by overwhelming the target with a flood of internet traffic. These attacks are particularly harmful when targeting the grid because when carried out successfully, even a minor disruption or low latency can impact essential services across the country. And these attacks are growing. NETSCOUT uncovered 1,780 DDoS attacks against utilities worldwide between June 15 and Aug. 21, 2020, representing a 595% year-over-year increase from 2019.

Ransomware also remains a top threat to utilities. This type of malware prevents users from accessing their systems and demands a ransom payment to regain ownership. There has been a slew of ransomware attacks in the last year alone, with research finding that the COVID-19 pandemic sparked a 72% growth in ransomware attacks over the last year.

One example is the infamous NotPetya cyberattacks carried out against Russian utilities in 2017. In a series of attacks, adversaries targeted multiple Ukrainian government agencies, energy companies and transportation infrastructure. Specifically, the attacks highlighted the severe risks ransomware poses to unsecured operational technologies (OT), which are a top target for hackers, as organizations often don’t update or apply security patches as often as they would for their IT systems.

When companies are victimized by ransomware, they need to be strategic in communicating with hackers. If they pay the ransom, they may only be encouraging future ransomware demands. They also may risk violating OFAC regulations, which warn that companies that facilitate ransomware payments to threat actors may face serious fines. These regulations have been put in place to encourage businesses to take the proper steps and enlist the help of law enforcement to determine the identity of threat actors who are demanding the ransom.

Whatever the attack, utilities must alert their workers, clients and customers in a timely fashion. To remain in compliance with data privacy laws like GDPR and CCPA, utilities must disclose the type of data stolen and how much, so their stakeholders are aware if they have any exposure because of the compromised data.

Utility operations have countless locations and bases where valuable data and insights into industrial infrastructure are stored; a breach can result in a devastating blow if impacted. The U.S. government considers utilities an enabling function for society today, as “… their incapacitation or destruction would have a debilitating effect on security, national economic security, (and) national public health or safety.” Utilities are also considered critical infrastructure, because in the event of an attack, a multitude of dependent systems, such as transportation lines or water access, can be impacted. This can leave businesses, homes and individuals across the country displaced and vulnerable.

Back to the Basics: Minimizing the Attack Surface

While mitigating risks like ransomware or DDoS attacks may sound overwhelming, it often begins with simply patching systems regularly. In 2019, 60% of data breaches were caused by an “unpatched known vulnerability where the patch was not applied.” Patching can help combat a multitude of attacks, and should be the first step in every utility’s security program.

Beyond good digital hygiene, there is also a human element to ensuring strong cybersecurity practices. A lot of malware attacks start with a single human error. This could be employees using an infected USB, leaving a browser window open when testing a system or clicking on a malicious link in a phishing email. These errors skyrocket when organizations introduce new digital technologies. For example, 95% of cloud breaches occur due to human errors such as configuration mistakes.

The human component is often the hardest to manage and govern. Employees need consistent, recurring awareness training to ensure security protocols are always top of mind. To do this, utilities should first establish a security awareness team and formalize a full program around security best practices. This program should instruct everyone from on site workers to in-office employees about proper security protocols, like regularly updating computer software or avoiding suspicious links in emails from unknown senders.

This team should be responsible for issuing regular practice assessments to check how utility operations personnel are implementing security best practices. This security training should be incorporated in the onboarding process for any new employee, as well as any promotions of current utility operators, to ensure they are aware of the latest threats affecting their jobs.

Fostering an Industrial Cyber Community

As they continue to digitalize, utilities need to shift their mindset by engaging with industry peers to spread awareness of the threats at hand.

For example, utilities should regularly connect with entities like the North American Electric Reliability Corporation (NERC), a nonprofit developing reliability and security standards for the grid. The organization hosts GridEx, a distributed grid exercise allowing participants to engage in simulated cyberattacks on the electrical grid. The exercise presents utility workers with the opportunity to demonstrate how they would respond to a cyber threat. It also creates a wider network for the industrial sector to discuss potential risks and the ways to mitigate them.

Utilities are using digital transformation to build resilience, but with new technology come new threats. These threats against utilities continue to grow, placing the industrial sector in a very vulnerable position. While these threats may seem overwhelming and extremely alarming, the majority of risk can be addressed with a “back to basics” approach, prioritizing patching and anti-malware updates. Integrating security in every part of your business operation – from desk to field to factory work – and ensuring its presence at every stage should be baked into every new digital plan and investment from the beginning.

Avatar photo

David Goddard

Dave Goddard is head of digitization at Hitachi ABB Power Grids.

david-goddard has 1 posts and counting.See all posts by david-goddard