Safeguarding smart devices to address utilities’ growing cyber vulnerability

286

Highlighted by the 2020 SolarWinds breach that eventually affected hundreds of electric utilities, cyberattacks on utilities are on the rise, writes David Stroud, the general manager of Nanolock in Europe and the APAC region.

It’s easy to see why cyberattacks on utilities are on the rise, given the potential devastation that downed critical infrastructure can cause, which gives attackers immense leverage to pursue financial or geopolitical gain. Within utilities, among the most vulnerable targets for attack are network assets like advanced metering infrastructure (AMI), which includes the newly networked Operational Technology (“OT”) devices like smart meters that utilities across the globe are rolling out at dramatic speed.

Research from IHS Markit projects global spending on AMI to rise to $13 billion by 2023, a nearly 50% increase from 2018 numbers.

While the low power, long-range functionality and low bandwidth connectivity of proliferating legacy and newly distributed OT devices has streamlined operations for utilities and improved energy efficiency for customers, there is a downside to deploying so many networked devices. Each connected device represents another potential target for cybercriminals intent on intrusion, persistence, and manipulation of the systems to which the devices belong. Their security protocols have not kept pace with the scaling threat.

Have you read?
Utility spending on smart meter analytics to triple through 2030
Energy companies are not implementing basic cybersecurity practices says expert
Podcasts: Cybersecurity and utilities – how to solve and prevent cyber attacks

Many OT system operators have seemingly integrated their legacy devices onto IT networks without much concern for security at all, perhaps because operators believed their proprietary internal networks used systems that intruders would not be able to decipher or affect. This has not borne out, and since many smart devices are battery-powered and often have limited computing power, they are unable to run an agent to provide protection from attack.

Tests and trials

Private cybersecurity teams have started testing the security resilience of utilities’ network assets like smart meters with “red team” tests. One such example comes from Mandiant, the incident response unit for FireEye, who – with permission – breached a utility’s external IT network and eventually issued commands to disconnect smart meters. Hackers, obviously, have tried their hand at breaching these meters too. This is what happened in a 2016 hack in Ukraine, where malware hackers used a script called “Crash Override” to seize the country’s power grid and briefly blackout the capital city of Kiev. The European Network of Transmission System Operators for Electricity (ENTSO-E), the organisation responsible for the coordination of European electricity markets, was breached as well in a separate incident in March, 2020.

Governments have begun to recognise this national security risk, as officials in the EU have initiated legislation to protect their energy sector as well as IoT devices in general. The proposed bill includes increased cybersecurity requirements for critical infrastructure companies, though each country gets to decide for themselves which companies to classify as such. Finland declared more than 10,000 companies as critical infrastructure, while Cyprus designated just 10. Standardising across a single classification with more thoroughly articulated AMI security requirements is advisable. The American government is aware of the worsening threat environment for their energy sector as well, and following a recent memo on the subject from US President Joe Biden, over 150 utilities signed on to deploy new security technologies for their control systems.  

As advanced metering infrastructure rolls out and hackers’ efforts to breach these targets ramp up, decision-makers for electric utilities are likely wondering what can be done to protect their smart assets, and therefore their customers, from attack and disruption of service. Our increased reliance on the grid with the advent of electric vehicles and smart homes makes this issue even more pressing.

Zero-Trust device-level protection

On a practical level, utilities must future-proof smart devices such as smart meters and electric vehicle charge stations with Zero Trust device-level protection that can prevent unauthorised modification to critical code and data, thereby preventing persistency. Under a Zero Trust approach, all users, even those inside the organisation’s enterprise network, need to be authenticated and authorised before being granted access to applications and data.

One way of implementing a Zero Trust approach in practice is to introduce an embedded gatekeeper into each smart device’s memory that will prevent outsider, insider, and supply chain threats by automatically rejecting all changes unless authenticated by a trusted external server. This prevents persistency because bad actors won’t be able to insert their code into the memory and while this won’t stop future hackers from trying to breach utilities’ network assets like smart meters, it will at least prevent them from finding success while only using limited computing power.

It should be clear by now that AMI and connected devices pose a significant vulnerability for utilities. The data contained within and the ability to control the device is both asset hackers will try to seize and a liability the utilities wish to conceal, and yet operators have failed thus far to address the threat they face with appropriate concern. The damage a hacker can do when breaching a meter goes far beyond data theft, too, as they can also gain the ability to remotely disconnect power – something that could prove deadly in an event like a winter storm. Simply put, as meters are connected, their operators must recognise the security risk they pose and move to address it with zero-trust, device-level security that specifically protects their new vulnerabilities against the attack vectors looking to target them.

David Stroud Head of Europe  APAC NanoLock Security .jpg

About the author

David Stroud is NanoLock’s GM of Europe and APAC, overseeing strategic partnerships in Europe and APAC. Based in NanoLock’s UK office, Stroud is an industry-recognised leader with over 15 years of deep international experience, along with direct expertise in the energy and metering sector – including through his successful tenure as executive director of a leading international smart metering solution provider, and as general manager of Advanced Metering Services, New Zealand’s largest metering provider.