Cybersecurity risks have get a major headache for utilities. Attacks have been escalating in intensity, too as frequency. Leaders must prioritize these primal areas if they are to mitigate the risks of cyberattacks that will surely continue coming.

3 Best-Practice Initiatives to Mitigate Risks of Cyber Attacks

3 Best-Practice Initiatives to Mitigate Risks of Cyber Attacks

Robert Furr, Managing Principal | Capco

It shouldn't have been a surprise.Merely when the cyberattack hit Colonial Pipeline in June, the distributor of nearly one-half of the vehicle fuel used on the U.S. East Coast, it caught everyone off guard.1

Fortunately, the attack did not impede the flow of fuel for long: the visitor shut down its pipelines for a few days as a precautionary measure out. However, Colonial had to pay a $v one thousand thousand ransom just to go back its stolen information. Coming after other cyberattacks in recent years —including the shutdown of Johannesburg'southward electrical utility and earlier, two hits in a yr on Ukrainian utilities — it was another clear sign that utilities worldwide are beingness actively targeted past bad actors, some of them likely to exist state-sponsored.2

The ability sector has become a top target for cyber-criminals over the last decade, co-ordinate to the French Institute of International Relations, a recall-tank. In the U.Due south., at that place were 150 successful attacks betwixt 2010 and 2022 that targeted systems that hold electric grid data, reported the Department of Energy.3

Utility leaders are clearly worried. Nearly ii-thirds of respondents to a recent big-calibration report say sophisticated cyber-attacks are a top challenge.4 More than than half, 56%, say they experience at to the lowest degree one shutdown or operational data loss per year, resulting in outages, equipment damage, injury, and sometimes even environmental disaster. Nearly 55% of survey respondents anticipate an attack on their critical infrastructure in the next 12 months.

It'south noteworthy that cyber-criminals are targeting utilities' operational technology (OT) infrastructure –including ICS (industrial control systems), such as SCADA (supervisory control and data acquisition), smart substations, and distribution direction systems. In fact, the 2022 study of cybersecurity threats by Honeywell revealed the number of cybersecurity threats specifically targeting OT systems grew from 16% of all cyber threats against industrial systems in 2022 to 28% in 2020. Over the same time, the number of threats capable of causing major disruption to OT systems more than than doubled, from 26% to 59%.iv In years gone past, OT systems were often air-gapped, or isolated, and thus more than difficult to assail, only that doesn't hateful utilities can ease up on securing their OT systems. Today, the lines between IT and OT are blurring fast as OT systems become more digitized.5

There are several all-time-do initiatives that should be focused on to assist mitigate the risks of cyber-attacks. Chiefly, the initiatives span both It and OT, and increasingly, they must be launched and managed in integrated ways.

Ameliorate direction of supplier risks

If e'er there was a demonstration of vulnerability to supplier risk, it is the notorious SolarWinds hack. In late 2020,cyber-criminals – believed to be Russian operatives – infiltrated the highest levels of the U.Due south. government by packaging their malware inside a trusted slice of software used by SolarWinds, a top-tier authorities contractor.7

As electric utilities have grown in size and complexity, their reliance on increasingly specialized technology has grown besides. Installing, maintaining, and updating that technology often involves outside contractors, opening up many more than vulnerabilities.Reliance on third parties is no small-scale thing; some sources bespeak that at many utilities, contract labor can brand up more than half of total labor hours. Expanding supply bondage widen the attack surface that utilities need to monitor and secure.

Utilities must, as a first priority, align with their nations' best-practice supplier-take chances standards. In the U.Southward.,those standards are promulgated by the North American Electrical Reliability Corp. (NERC). In 2017, the NERC board signed off on a supply chain take a chance mitigation program in the form of proposed Reliability Standards CIP-005-6 and CIP-010-3(Supply Chain Standards), and then in October 2020, CIP-013-one, addressing cyber security supply chain gamble management issues.8,9 NERC has also approved the associated implementation plans.

In our piece of work with electricity utilities, we have found an assortment of supply concatenation challenges, from multiple software vulnerabilities in suppliers' systems to suppliers' sub-standard cybersecurity practices or processes. Ofttimes, we've constitute that utilities lack detailed visibility into a supplier's cybersecurity practices; and information technology's not uncommon to observe unauthorized storage of data within third-party systems. Any of those, left undetected and unremedied, could prove to be catastrophic.

This whitepaper is meant only to provide a cursory overview of the aspects of cybersecurity that need ongoing attention. Information technology should go without maxim that every supplier'due south data should exist traceable and visible to the customer. Concurrently, utility business concern leaders must partner with their HR teams to create and continuously meliorate workshops that train all workers about the nature of cyber risks. Just 1 snapshot: flash drives used by non-employee workers are ane of the well-nigh common vulnerabilities.

Fundamentally, utilities must reset expectations with their suppliers, developing and implementing new security protocols and writing new, strict language into contracts. It is essential to gear up up and enforce incentives for "good practice" along with clear penalties for violations of the new protocols. College insurance levels will need to exist included in supplier contracts. Above all, the direction of the supply chain has to exist highly proactive, fully engaged, and continuous.

Improved vulnerability direction

A apace shifting threat landscape and multiplying points of exposure hateful utilities must, as a matter of urgency, rethink their vulnerability management strategies. That means moving abroad from reactive strategies toward a proactive, comprehensive, take a chance-based approach that continuously identifies, evaluates, and maps potential threats using information analytics and, in response, proposes remediation and mitigation techniques.

Vulnerability management is divers past the U.S.National Found of Standards and Technology (NIST) as "a capability that identifies vulnerabilities on devices that are probable to exist used by attackers to compromise a device and employ it as a platform from which to extend compromise to the network."10 Information technology provides continuous centralized reports and visualizations to better appraise an organization'due south cyber health.

An effective vulnerability direction organization tin can help protect against SQL injection and cross-site scripting (XSS) attacks, where code is input past an attacker that processes an action not intended for the original prompt's purpose. Information technology can guard against faulty authentication systems that allow an aggressor to proceeds unauthorized access or privileges. And it tin help identify insecure configurations and standards that do not run into the organization's security policies.

The key to the success of avulnerability management program is transitioning to a risk-based model that identifies and addresses the greatest threats. Organizations tin begin building a program by taking these four steps:

  1. Identify and classify the arrangement's assets. This volition ensure the power to accurately measure and communicate hazard to key stakeholders.

  2. Select software that fits the needs of the organization'due south Information technology and OT footprint.

  3. Determine frequency of scanning.

  4. Remediate and fix vulnerabilities. The hard piece of work begins once the vulnerabilities have been identified and assigned risk-based scores.

It'south worth noting that not all vulnerabilities discovered will require an all-easily-on-deck mitigation arroyo. Some may be queued for future efforts and recorded in mitigation service level agreements. Most mature software offerings integrate with existing change management tools to easily runway vulnerability mitigation efforts.

Continuous threat detection

Utilities are in no position to rely on ane-off security scans; the stakes are far likewise loftier.Cybersecurity teams have to exist able to track adverse events as they are happening, not afterward. They must ensure threat detection is a continuous and rigorous business discipline.

Continuous threat detection (CTD) is a wide term for avant-garde threat detection that provides an additional level of security against advanced malware and goose egg-day attacks. Information technology uses advanced tools and analysis, such as source reputation, executable analysis, and threat-level protocols, in club to analyze network traffic in ways that heighten security. The idea starts with continuous visibility into the arrangement's systems. The underlying principle: to protect what y'all have, you need to know what you take – and know what it's doing.

About CTD programs employ "sandboxing" to divide communications and commands from programs on the network then those communications and commands can be assessed for malevolent intent without affecting the broader networks. By running in a virtual surround in the sandbox, a suspicious advice or command'due south behavior can be assessed and, if warranted, excluded from the broader network.

Unfortunately, CTD is not a forcefulness for many utilities. Manufacture leaders give low ratings to their organizations' ability to reach comprehensive and continuous visibility of digital assets. Many concede a lack of visibility with regard to OT security in particular.11 Worldwide, only 18% report using analysis of big data or AI monitoring to track operations and recognize threats.12

Yet those are exactly the kinds of tools and techniques needed to help utilities find and neutralize "sleeping" malware, for example, and detect other unknown threats. Cybersecurity teams can use advanced analytics to spot anomalies in the beliefs of their assets; they can trace activity from the OT network to the Information technology network and vice-versa, and pinpoint gaps and unpatched systems that allowed an enemy to mayhap accept control long after penetrating the system and and then lying fallow.

Such advanced tools can also help build the foundations of proactive mitigation and predictive attack analysis – essentially anticipating the virtually likely agin events and building in protections against them.

Cyber threats confronting utilities are not going away and the severity and bear on of attacks aren't about to ease off. In a newly volatile world, well-equipped, tech-savvy nation-land actors will near certainly intensify their assaults, and the dark web will continue to be a prepare marketplace for new and low-cost ways to pinpoint and penetrate weak entry points.At a minimum, managers must recognize that there are more and more Information technology capabilities in the OT hardware that they are upgrading. OT-Information technology convergence is not going to stop.

Sources

  1. https://www.securityweek.com/european-electric-energy-system-discloses-alienation
  2. https://world wide web.securityweek.com/ransomware-causes-disruptions-johannesburg-power-company
  3. https://www.power-engineering science.com/features/the-five-worst-cyberattacks-confronting-the-ability-industry-since2014/
  4. https://world wide web.forbes.com/sites/honeywell/2021/03/xi/the-biggest-cybersecurity-threats-that-more than-people-should-be-talking-about-industrial-hacking-and-hijacking/?sh=43e8f10457a9
  5. https://assets.new.siemens.com/siemens/avails/api/uuid:35089d45-e1c2-4b8b-b4e9-7ce8cae81eaa/version:1599074232/siemens-cybersecurity.pdf
  6. https://www.power-applied science.com/comment/cybersecurity-power-utilities-calendar-covid-nineteen-globaldata/
  7. https://assets.new.siemens.com/siemens/assets/api/uuid:35089d45-e1c2-4b8b-b4e9-7ce8cae81eaa/version:1599074232/siemens-cybersecurity.pdf
  8. https://world wide web.cnet.com/news/solarwinds-hackers-accessed-dhs-acting-secretarys-emails-what-you-demand-to-know/
  9. https://www.bcg.com/industries/energy/power-utilities/how-utilities-can-manage-supplier-risk
  10. https://www.nerc.com/pa/comp/Pages/Supply-Chain-Risk-Mitigation-Program.aspx
  11. https://csrc.nist.gov/glossary/term/Vulnerability_Management#:~:text=Definition(south)%3A,extend%20compromise%20to%20the%20network.
  12. https://assets.new.siemens.com/siemens/assets/api/uuid:35089d45-e1c2-4b8b-b4e9-7ce8cae81eaa/version:1599074232/siemens-cybersecurity.pdf

Almost Robert Furr

Robert Furr is managing master at Capco, a global management and technology consultancy defended to the financial services and energy industries, and tin can be reached at Robert.Furr@capco.com.

The content & opinions in this commodity are the writer'south and exercise non necessarily represent the views of AltEnergyMag

Comments (0)

This post does not have any comments. Be the first to leave a comment below.

Post A Comment

You must be logged in before you tin can mail service a annotate. Login at present.

Featured Product

S-5!® PVKIT™ 2.0 Solar Rooftop Solutions

Due south-5!® PVKIT™ 2.0 Solar Rooftop Solutions

The concept of combining PV arrays with standing seam metal roofing is growing-for good reasons. Metallic roofs accept a life expectancy of more than 40 years. Shouldn't the mounting system last as long? With S-5! zero-penetration zipper technology and PVKIT 2.0, the solarized metal roof is the nigh sustainable system available -and without compromising roof warranties! PVKIT ii.0 is the also the best solution for attaching PV modules directly to any exposed fastener metallic roof.