Why cybersecurity is lagging in utilities – and what to do about it


This article looks at the importance of cybersecurity for the energy sector, given the potential economic and human safety impact of a cyber attack on critical infrastructure.

The energy space is a highly attractive target for cyberattacks, with potentially major repercussions. It is also an industry that is notoriously slow to adopt new advanced cybersecurity measures. The slowness of the industry in adopting new security solutions is evidenced by global utilities lagging behind aligning themselves with cybersecurity standards.

This article first appeared in Smart Energy International Issue 4-2019. 
Read the full digimag here or subscribe to receive a print copy here.

Recently, US utility Duke Energy was fined $10 million by NERC for egregious security lapses dating back to 2015. And Duke was presumed to be ahead of its peers, so where do other utility firms stand?

Clearly, there is a need for investing in increasing utility cybersecurity awareness, optimising the operations of emerging grid security technology start-ups and in research and development of new security features and capabilities.

Smart Energy International spoke with Carolyn Crandall, chief deception officer at Attivo Networks, a cybersecurity firm, to understand what can be done to ensure increased adoption of security technologies and measures.

Asked about the impacts of cyber attacks, Crandall said energy sector leaders are acutely aware that they are a highly attractive target for cyber attacks and must be prepared for the most sophisticated cyber criminals. Although the attack is done online, cyber attacks pose the same kind of infrastructure risk and repercussions as natural disasters or physical attacks. Cyber attackdriven outages can also have a significant impact on economic and government stability if taken to extremes.

With the emergence of smart grids, smart devices, and the massive growth of IoT connected devices, rapid digitisation of the energy industry has increased the potential attack surfaces and the need for enhanced visibility and detection of in-network cybersecurity threats. Given the sophistication and gravity of these attacks, the sector has enhanced its security programs to include investment in not only prevention but also in lateral movement detection so that attackers cannot successfully establish a foothold or advance their attacks.

Beyond costly outages, attacks could potentially result in infrastructure shutdown, triggering economic and financial disruptions or even loss of life and massive environmental damage.

From a business standpoint, many cyber criminals are looking for opportunities for financial gain. For instance, they could target payment systems and records. However, cyber criminals can also cause a disruption of service motivated by ransomware and refuse to relinquish control until they are generously compensated.

Other attacks are more politically driven. Causing harm to systems that provide water, electricity, and other fundamental services can impact the country’s political and financial systems.

Not always driven by the desire to harm or steal, some attacks will happen simply because the attacker wants to prove they can infiltrate a system or network. Additionally, an ethical hacker may break in to highlight that there are risks that really need to be addressed, before a cyber criminal exploits the weakness.

How to address utilities lagging behind cybersecurity goals

A fundamental challenge lies in the industrial control devices that are being used. They have much longer life-cycles than a traditional computer system and when originally designed, they were not built with security in mind. It is not uncommon for these devices to be in use for 30 years, well after the end of life of their operating systems and applications. This makes them hard to locate and update, in addition to the difficulty of finding current security patches. The problem is compounded because these systems often have default or shared passwords, which an attacker will seek out in order to exploit these systems.

What needs to change? OT tends to focus first and foremost on safety and operational continuity. OT engineers need to see security as a threat to operational continuity in order to take it seriously. The business initiatives that are connecting plants to enterprise networks need to make sure the OT engineers are awareof the risk. If they are not aware of the connections or don’t know how to evaluate these risks, they won’t be able to protect their networks or know how to respond to a cyber attack.

These teams need to have the right tools to have visibility of the assets and what’s happening inside the network. This level of visibility needs to be brought up to the same levels as seen within an IT network. It will take some time to get all equipment tracked and up to baseline security standards. In the interim, solutions like deception technology, which provides ‘eyes inside the network’ visibility to lateral movement activity and policy violations, will serve well as the de facto safety net for early detection and adversary intelligence.

And of course, more regimented, but logical, legislation on minimum security standards would serve well to elevate and escalate progress.

Similar to enterprise organisations, there is an increasing need for the energy sector to deploy deception technology in order to detect threats on utilities, but also in conjunction with penetration testing in order to understand attack surface weaknesses and new exposures that an attacker may exploit. With in-network deceptions, high interaction decoys and lures are deployed throughout the network to appear identical to production assets. These deceptive systems efficiently detect and derail attackers as they seek to move laterally using reconnaissance to find available hosts or services, access to file shares, credential theft, or attempt a man-in-the-middle attack.

Digitalisation and utilities’ cybersecurity focus

Our own research supports that utilities are aggressively focused on the digitalisation of everything; however, the very components that enable digitalisation – sensors, connectivity and smart applications – also increase risk. Digitalisation is attractive because it enhances efficiency, improves safety, and optimizes production, but it also creates more opportunities for bad actors to penetrate operational technology (OT) environments and to wreak havoc. OT networks have very different characteristics from IT networks and thus traditional IT-focused security solutions tend not to work reliably for OT networks. As the threat landscape becomes more sophisticated and attackers gain OT-specific expertise, utilities and industrial customers need to re-evaluate their security frameworks and adjust their security posture to prevent these networks from becoming a favoured target of cybercriminals.

It is hard to make broad generalisations, as maturity of cybersecurity organisations across utilities varies widely. However, a second area which most utilities, and enterprises more broadly, are increasingly focusing on is supply chain risk management (SCRM). SCRM addresses the relevant cyber risks associated with the acquisition and deployment of technologies within a utility’s environment from third-party providers. The main issue is that if access is granted to a third-party provider, and in turn that third party has been compromised, the utility’s network is now at risk of being compromised as well. To remedy such vulnerability, utilities have to conduct in-depth cybersecurity posture analyses for each of their third-party providers, which is very time-consuming. SEI


Carolyn Crandall, Attivo Networks Carolyn is the chief deception officer at Attivo Networks, as well as an active speaker, writer, and blogger. She is a technology executive with over 25 years of experience in building emerging technology markets in security, networking and storage industries.