Because of its size, scope, and importance, the utility sector in the United States is a tempting target for terrorists trying to cause chaos or financial criminals looking to penetrate and steal. Our industry faces significant cyber and physical security threats, and regulatory compliance alone isn’t always enough to keep a company’s assets safe.
The utility sector relies extensively on cyber systems to carry out its mission, monitor control systems and remotely access infrastructure, which means ever-growing importance on protecting against cyber threats. What utility companies need is a more comprehensive set of solutions that go beyond the traditional building security and extend to the network-based systems that provide critical live data on power plants, substations, and other assets.
Table of Contents
What Unique Security Challenges do Underground Utilities Present?
There are three factors that make this sector particularly vulnerable to modern cyberthreats. The first is a rise in the number of threats and hackers targeting utilities, including nation-states attempting to disrupt security and the economy, cybercriminals who recognize the economic value of this sector, and hacktivists looking to publicly express their opposition to utility projects. The second vulnerability is utilities’ growing attack surface, which is a result of their geographic and structural complexity, as well as the decentralized style of many firms’ cybersecurity leadership. Finally, the particular interdependencies between physical and cyber infrastructure leaves organizations more vulnerable to exploitation.
Additionally, many utility infrastructures are stuck with outdated systems and have limited visibility into what’s going on in their operational technology settings. Traditionally, OT and IT environments have been kept fully separate thanks to air gapping practices. Recently, as OT and IT environments converge, new security threats are arising. In response, more companies are migrating to and adopting innovative technology to address the difficulties of OT/IT convergence.
What Should Underground Utility Companies Do to Boost Security?
Most companies in the utility industry have realized how important it is to protect critical infrastructure, but many of them are unsure of where to start. The first step is understanding the threats your company faces so you know what you need to defend. Underground utility companies face some unique risks because they have physical infrastructure that is exposed to the elements, which means more potential points of attack. That’s why it’s critical for companies in this sector to bolster their cybersecurity efforts by focusing on several key areas.
Raise Awareness.
First, it’s crucial that you take steps to alert staff proactively about potential threats and train them how to respond appropriately if a cyber event occurs. It’s important that all personnel understand the importance of being vigilant in the face of rising phishing, malware assaults, data theft, and billing fraud.
Enact Cybersecurity Hygiene.
“62% of oil and energy companies are at heightened risk of ransomware attacks due to their weak cybersecurity performance…making them 4.5 times more likely to experience an attack.” – BitSight research.
This is why it’s vital that these businesses examine their security programs right away to find any flaws, especially in the areas of configuration management, patching, vulnerability management, and endpoint security.
Basic “hygiene” measures such as using stronger passwords and avoiding the use of USB devices, for example, will help prevent the most dangerous viruses from infiltrating important systems.
Have a Plan for Recovering Data.
We can’t emphasize enough how important it is to have an action plan in place so you know exactly what steps need to be taken if there’s an attack. An effective plan needs to include shutting down compromised devices, containing the effects of the attack, preventing further damage, and restoring normal operations as quickly as possible.
Focus on Compliance.
Regulatory bodies are increasingly requiring utilities to take cybersecurity matters seriously. By taking the appropriate steps, you can reduce the risk of an attack and ensure your company is in compliance with any new or existing legislation. Aside from funding challenges, regulatory inconsistencies may result in a more fragmented approach to utility cybersecurity.
Departments are under constant pressure to address gaps identified in ongoing site-specific or regional-level security assessments. They are required to show compliance with Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) critical-infrastructure protection (NERC CIP) standards, as well as other industry requirements.
Assess Security Vulnerabilities.
A thorough assessment of network connections and devices needs to be completed, too, in order to identify vulnerabilities and prioritize the ones that are most critical. Ongoing assessment and improvement efforts are critical to maintaining high-performing security. Yet, companies must ensure that assessment doesn’t overwhelm the security team’s resources and distract attention from the changing threat landscape and expanding attack surface.
Be Proactive.
There are lots of different opinions about how best to protect against these threats, but one thing’s for sure: our industry needs to be proactive in developing solutions.
Utility operators must go beyond reactive security measures and adopt a proactive approach that includes security considerations in crucial decisions about expansion and the resulting rise in infrastructure and geographic complexity. At the same time, attackers will continue to develop and use new attack techniques, so business leaders must develop security-minded policies to combat threats on the horizon.
Related article: How Predictive Analytics Is Impacting Utility Engineering.
Looking Towards a Bright Future for Utility Infrastructure
Follow SoftDig to stay up to date on all the industry news affecting underground utilities and subsurface engineering.