In recent years, there have been several highly publicized attacks on energy companies and other utilities. Attacks on these entities are particularly alarming in light of their designation by the federal government as critical infrastructure, as they “are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” according to the Cybersecurity and Infrastructure Security Agency (CISA).
According to a March press release from the Department of Energy, “Just two months into 2024, it is abundantly clear that America’s critical infrastructure is facing an unprecedented level of cyber threat. Foreign adversaries are bolder, better equipped, and increasingly willing to test the limits of our security measures in preparation for future attacks.”
Click the banner below to secure your SCADA networks in an evolving threat landscape.
The EPA Warns of Increasing Cyber Attacks on Critical Infrastructure
The North American Electric Reliability Corporation held a webcast in April that noted, “U.S. power grids are increasingly vulnerable to cyberattacks, with the number of susceptible points in electrical networks increasing by about 60 per day.”
The following month, the Environmental Protection Agency (EPA) warned about the increased frequency of cyberattacks targeting community water systems across the country. “Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts,” the agency said in an enforcement alert.
READ MORE: Find out how a cyber resilience strategy can help ensure business continuity.
Legacy and Emerging Tech Make Utilities More Vulnerable
After the EPA warned in May about potential cyberattacks on critical infrastructure, Mike Mestrovich, CISO of data security company Rubrik (and former Deputy CISO of the CIA) told BizTech in a statement, “The Chinese have been actively working for years to infiltrate and maintain persistence in our nation’s critical infrastructure and to pre-position themselves for a few reasons. One is to continue to gather intelligence about how our systems operate and the capabilities of our defensive capabilities, and the second reason is simply to be able to disrupt and/or destroy those systems in the case of a conflict.”
One of the reasons utilities are so susceptible to attack is their continued reliance on outdated technology, such as Supervisory Control and Data Acquisition networks, that wasn’t designed for today’s more sophisticated and broadly accessible systems.
Last September, CDW Senior Security Architect Pedro Serrano said in an interview with BizTech, “Water utilities and water plants are the ones that get the least amount of budget in every city, in every county, in every state. It’s a known fact. Because of that, their SCADA systems are the oldest and the least secure. Most electrical utilities today have received a lot of help, and they’re now trying to disseminate some of that knowledge into the water and the city.”
But emerging technologies can be just as vulnerable as some legacy solutions. At the end of last year, Forbes predicted, “The expanding Internet of Things landscape will introduce new vulnerabilities in 2024. Many IoT devices lack adequate security measures, making them attractive targets for hackers. Addressing IoT security issues promptly is essential, as these devices continue to become more integrated into daily lives and critical infrastructure. Manufacturers and consumers must prioritize security features, firmware updates and robust authentication mechanisms to protect against IoT-related threats.”
WATCH: Find out how to better navigate the evolving threat landscape.
Why Utilities Should Focus on These Cybersecurity Priorities
In January, CISA published a cyber incident response guide for the water and wastewater sector, which was developed by the FBI, CISA and the EPA. In response to the guide, Mestrovich said, “The guidelines could be more impactful if the EPA were allowed to actually assess the effectiveness of cyber defenses, but that was shot down last year via a court challenge from the industry saying it would be too expensive. Instead, we are now left with a self-assessment model.”
As part of that model, Mestrovich recommended prioritizing the following four elements during a self-assessment:
- Patching: “Organizations should always patch for known vulnerabilities so you aren’t giving the adversary an easy target,” he said. “But the bad guys will almost certainly have done recon, and they have a host of zero days they are just waiting to utilize, so patching will only get you so far.”
- Identity: Mestrovich said multifactor authentication is an effective tool for threat detection because it “ensures legitimate credentials are not being misused by the adversary.” In addition, microsegmentation can be valuable because it forces an adversary “to find new credentials every time they try to move laterally.”
- Threat hunting: Organizations should always be on the lookout for threats.
- Cyber resilience plan: Backing up critical systems and associated data is an essential way to make your organization more resilient, “so that if your systems are destroyed or degraded, you have a way to reconstitute them,” Mestrovich said.
By placing an emphasis on these priorities, utilities will be better equipped to protect not only their own business interests but the safety of the nation’s critical infrastructure and the millions of citizens they serve.