Utilities Face Security Challenges as They Embrace Data in New Ways
A culture of cybersecurity and implementing industry best practices can go a long way toward protecting a utility.
The world is facing a perfect storm of market pressures — from geopolitical to economic to environmental concerns. Because of this, uncertainty is impacting businesses and government agencies everywhere, and power and water providers are not immune to these forces.
Extreme weather events hinder grid reliability, for example, while integrating distributed energy resources such as solar panels complicates reliable service delivery and load management. Many utilities are looking toward real-time data analytics to address these challenges by delivering new insights, improving operational efficiencies, and delivering new products and services.
However, as data analytics programs ramp up, utilities find themselves facing increasing security threats. A robust analytics program is a business imperative, but privacy and security concerns must be addressed for these programs to move full steam ahead. The good news is utilities don't need to reinvent the wheel. Instead, they must recognize these challenges and adopt proven strategies to protect themselves and their customers.
Utilities Are a Prime Target for Cyberattacks
Statistics and headlines illustrate the growing security threats faced by utilities. Research from Skybox Security found that 87% of utilities have experienced at least one security breach in the past 36 months.
One example worth highlighting is the malicious attack on a US-based utility that resulted in a loss of 90% of its internal systems and wiped out 25 years of historical data. Luckily, there was no impact on customer data or grid operations, but it was a relatively small utility company, which is a reminder that anyone is at risk.
The risk is real, and there is a lot at stake, especially when it comes to critical infrastructure. One successful breach could cut power or water supply to thousands of residents.
The age of operational technology (OT) — much of which is more than 25 years old — is a concern for utilities. Aging technology is harder to update, making it easier for hackers to exploit. Also, many devices that collect real-time data are third-party technologies, such as smart thermostats, and are outside the direct control of utilities. The combination of a larger attack surface and less control equals greater risk.
As is true for all companies with access to personally identifiable information (PPI), utilities are responsible for keeping customer data secure. The Verizon "2022 Data Breach Investigations Report" found that in 2021, customer data amounted to 58% of all data stolen from energy and utility firms, followed by credential information (much of which was likely used to steal customer data). Now that utilities are collecting more data than ever — and data that can be used to piece together someone's habits (i.e., when they are on vacation or when they get home from work) — the stakes are even higher.
While many hackers are after financial gain, the possibility of a nation-state attack is also on utilities' minds. Earlier this year, the US Department of Homeland Security issued a Shields Up alert to critical infrastructure providers after it received indications that the heavily sanctioned Russian government may be targeting them: "Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety."
Actionable Steps to Ward Off Data Security Threats
Staying ahead of cyber threats can feel like an uphill battle, but there are several steps a utility can take to boost its security posture. Here's a list of five best practices that should be on every utility's radar:
Strengthen the human perimeter. Creating a culture that prioritizes security is arguably the most important step a utility can take. Most attacks, even those conducted by nation states, will go through the path of least resistance. In most cases, that is an employee. Standard defenses — spam filters, endpoint detection and response, etc. — make it more challenging for bad actors to reach an employee, but they are not foolproof. Employees must know how to identify and avoid social engineering and phishing scams.
Protect IT and OT from one another. Building a demilitarized zone (DMZ) between IT and OT environments helps prevent attackers from compromising one network to gain a foothold in the other. This includes adding firewalls and gateways to guard where data goes. Even with a DMZ, utilities should have backup options in place to contain infiltrations and continue operations.
Thoroughly test for any weak points by employing third parties to conduct penetration and vulnerability testing. The key is to find gaps in your network before the bad guys.
Layer additional defenses onto the most valuable and vulnerable assets. Increase the protection of assets that are most likely to be targeted. This can be accomplished in a number of ways, including limiting the number of people that have access to a system or adding extra security features such as multifactor authentication.
Consider outsourcing or augmenting your security team if you're a small utility with fewer resources. Having a partner to guide you through your security journey can make all the difference.
Balancing Data With Security
Security is on every utility's mind, but it must be viewed as more than a checked box. A culture of security and implementing industry best practices can go a long way in protecting a utility and lessening executives' concerns with real-time data analytics. This is critical as real-time data analytics programs are necessary for utilities to keep up with current and future demand.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024