Staying Ahead of Cybercriminals – Why the Utilities Sector Must Mitigate Threats from Outside and Within
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.
Like all critical infrastructure, US Utilities are prone to cyber threats, even in peacetime. With foe, and believe it or not, friends, constantly gnawing away at network weaknesses to determine resilience and potential holes.
Here, Alastair MacLeod, CEO at Ground Control, a satellite-focused, IoT and M2M connectivity and critical communications provider, examines how Utilities companies can mitigate these threats to ensure commercial operations are not compromised.
It’s important to note that with all that is going on between Russia and Ukraine, security is also becoming more of a focus for consumers. According to our survey of American Utility users in March of this year, hackers bringing down internal systems was identified as a potential risk to Utility supply by 46.9% of recipients.
However, there are other communities besides nation-states seeking to immobilize civil and economic order by attacking Utilities infrastructure.
The digital battlefield
Cybercriminals and ransomware gangs are looking for increasingly innovative ways to exploit the economic value of the Utilities sector. Meanwhile, hacktivists seek ways to publicly leverage their opposition to political or environmental agendas by disabling facilities through, for example, a distributed denial of service (DDOS).
This digital battlefield is being fought in myriad ways – from disruption to enterprise systems that underpin a Utility company’s commercial and human operations, to more malign intervention of operational technology, designed to inflict severe disruption to civil society.
The ‘AcidRain’ malware attack in February this year, caused severe, prolonged disruption to operations on a mass scale. The attack wiped out Viasat’s KA-SAT broadband service’s satellite modems, impacting thousands in Ukraine and further across Europe1.
Ultimately in the age of IoT, where machines in the home, commerce, and throughout industry are given an identity and the ability to communicate, this risk is only set to increase.
Want More Tech News? Subscribe to ComputingEdge Newsletter Today!
Countering the threat
According to IBM the Energy industry ranked fifth in overall data breach costs in 2021, and security in the Utilities sector brings with it additional considerations: it is a highly regulated industry where breaches can be prohibitively costly by any other industry’s standards. Moreover, costs associated with ransomware or cyberattacks can quickly escalate. Between 2020 and 2021, there was a reported 10% increase from $3.86 million to $4.24 million per data breach incident. Then there is the length of time it takes to discover a breach; often the longer the breach goes unnoticed, the more expensive and/or disruptive the incident. And finally, there are the fines incurred from regulatory bodies, both in the EU and USA. All that, before we get on to reputational damage.
However, it’s not all bad news. Cyber security is already top of mind for many Utility firms and there are many ways to counter these threats, starting with recognizing this inherent vulnerability and embedding a culture of awareness that shapes more secure behavior, processes, and system design.
This is especially true of the operational technology (OT) side of a Utilities company’s systems, focusing on telemetry, which measures and identifies trends across the utility network, and/or SCADA (Supervisory Control and Data Acquisition) which controls the system architecture. In practice, this might be the opening of a dam’s sluice gates or the direction and distribution of gas or electricity on a grid. Our technical team is in contact with clients regarding how to implement more secure solutions, in light of the changing nature of the technological landscape. We review vulnerabilities with clients, both in terms of installation and maintenance, ensuring we also highlight potential vulnerabilities within the wider network.
The importance of private networks
Risk increases when or if data is exposed to the open Internet, which is why Utilities must leverage control using the latest IP technology – securely operating within public networks or operating via secure, private networks. Private networks, and dedicated hubs, such as those within a TSAT satellite system, maintain a vital air gap between telemetry and control, and open public networks. Enterprise systems, on the other hand, are often routed through internet protocols, are inherently more visible and therefore exposed. Simply, in an ideal world, SCADA and telemetry data will not be mixed with enterprise traffic. Secure separation helps ensure this data doesn’t fall into the wrong hands.
Afterall, a sub-station with limited security can be disabled, leading to regional power-loss, or worse still, large-scale disconnection at a grid’s source. If a hacker has knowledge of how a grid is being used and can interrupt the control of grid assets at the same time, they have all the power they need for a checkmate.
If a first principle of security is to separate the data’s carrier and storage, nowhere is this more important than on the Cloud where the superficially attractive proposition of cost-savings can lure one into holding telemetry data along with all other data used across the organization’s operations.
Paradoxically perhaps, some legacy technology still widely used, carrying data between microcontrollers and small peripherals at the coalface of telemetry – such as Serial Peripheral Interface (SPI) – are more secure, being insulated by virtue of a physical connection. Although, new IP-enabled technologies can and are currently deployed, albeit only when protected within a private network or software-defined trusted network.
There are plenty of examples, which illustrate the level of disruption water and energy supplies are prone to. Last year, a cyberattack forced operator Colonial Pipeline to temporarily shut down 5,500 miles of pipeline, and an attempt was made to tamper with the levels of sodium hydroxide in Oldsmar, Florida’s water supply. Moreover, recently in Ukraine, hostile intervention has led to the disabling of energy – in this case, wind farms.
In addition, the control of water flow becomes more critical with the increasing impact of Climate Change. Extremes necessitate accurate prediction and timely response to rapidly changing conditions. This must be controlled using the latest IP technology, all of which must be securely operated within public networks or operated via secure private networks. Imagine the damage that could be done if the data-controlling process fell into the wrong hand and control of monitoring of pollution, reservoirs, and removal of sewage in the networks was uncontrolled.
In the same way, managing diminished supplies of energy between, and within countries, depends on intelligent, smart technology, automatically distributing supply to wherever it is required. All of this being done through controls and networks that are vulnerable to hostile forces. It is essential, therefore, that in addition to the protection of static data, the means by which data moves is equally resilient, and that in turn, means having backup systems in place.
The here and the now
As IoT becomes more embedded in industry day-to-day, it becomes vital that all devices and local networks associated with a grid carry technology and software to protect them. One such way is SD WAN technology (software defined, WAN) which keeps data locked down and secure from the outside world. At the same time, the technology ensures consistent application performance and resilience by automatically steering traffic in an application-driven manner based on business intent, security protocols, and WAN architecture.
Primary bearers and platforms need to have alternatives in place, which means satellite, LTE, and 4G/5G solutions. One of the benefits of telemetry data is its relative size. Because telemetry data requires less bandwidth than much of the traffic going over an enterprise system, it can also be more difficult to trace. However, we advise all our clients to have these backup solutions in place, and if necessary, back-ups to back-ups.
Utilities looking to embed and maintain a strategic threat intelligence program should constantly review their systems and technology alongside their connectivity partners. This is necessary to identify gaps and opportunities based on whatever threat intelligence protocols they have in place to increase situational awareness across teams.
At Ground Control, as a cyber-accredited business, we are responsible for the provision worldwide of connectivity solutions to Utilities and other sectors. We advise clients of risks and trends facing their operations and ways to combat this and build better resilience within their networks. This includes satellite as well as terrestrial networks, which transmit and receive data vital to the monitoring and performance of systems.
In our recent paper, ‘Data’s journey in shaping digital transformation in Utilities, and what it all means,’ we examine how data has been a catalyst for digitalization among companies within the Utilities sector, and how such disruption, outages, and supply interruptions result in huge financial burden and penalties for the supplier, and severe (often prolonged) disruption for consumers.
Which brings us back to the beginning; being aware of the risks, including an acceptance that they may come from closer to home than one might at first think, is as critical as the data that needs protecting.
1 – Just Security, ‘AcidRain Malware and Viasat Network Downtime in Ukraine: Assessing the Cyber War Threat’
About Ground Control
Established 20 years ago in 2002, Ground Control uses satellite and cellular technology to connect people and things, particularly within hard to reach, remote areas – from wind farms to fishing fleets and first responders to forestry workers.
Ground Control designs and builds its own hardware covering the entire spectrum of connectivity requirements, with manufacturing facilities in the UK, and in the United States.
The company’s long-term partnerships with airtime providers such as Inmarsat and Iridium mean that it has access to the most competitive and comprehensive airtime plans, taking full advantage of their service evolutions in ways that make Ground Control’s customers’ challenges easier to solve.
Ground Control works within a multitude of Governments and industries, including Oil & Gas, Utilities, First Responders, Maritime, the Environment and Agriculture from all over the globe.