How the energy industry can better protect itself from cyberattacks


The rise of IoT has come with significant security concerns, as the addition of billions of new connected devices has created an equal number of potential entry points for cyberattackers. Though securing these devices is a priority in all sectors, the need for security is particularly pressing in the energy industry, where IBM sees energy and utility companies spending as much as 7% of their IT budgets on deploying IoT technology – but less than 1% on securing it. Given the potential danger that cyberattacks pose to power grids and other critical infrastructure, this raises major concerns.

Recent cyberattacks and other incidents have underscored both the vulnerability of the energy industry and its high value as a potential target. Attackers understand this, as recent cyber events affecting power grids in places ranging from Ukraine to the western United States have demonstrated.

This article was originally published in Smart Energy International issue 1-2020. Read the full digimag here or subscribe to receive a print copy here.

With IoT devices representing a relatively new and often ineffectively secured surface for cybercriminals to exploit, it is now more important than ever for the energy industry to make securing this increasingly widespread technology a major priority.

Recent attacks highlight vulnerabilities and consequences

Just a few short years ago, Ukraine suffered the first confirmed hack to take down a power grid. Over 230,000 people were left in the dark as hackers infiltrated computers located in control centres, locking out administrators, and using the infiltrated computers to disable dozens of power substations.

The attack was characterised as extremely sophisticated, likely carried out by well-coordinated and highly skilled hackers – perhaps even funded or trained with the help of a hostile nation-state. Although speculation has run rampant that Russia was behind the attack, it was never proven. And the truth is, it doesn’t matter. Simply knowing that there are attackers out there capable of this level of sophistication should send a cold shiver down the spine of the entire global energy industry.

Although the Ukraine attack was the first, it was hardly the last. And the United States is not immune to such incidents either, with warning signs rearing their heads in the form of cyber incidents in the west. This March, an anonymous utility company in a “western state” reportedly lost visibility into certain systems due to what has been termed a “cyber event.” Although the specific company is unknown to the public, the attack successfully disrupted power grids in Utah, Wyoming, and California. The event likely played a major role in the state of Texas’s recent decision to implement new power grid cybersecurity protection regulations. Although the damage from this specific incident was relatively minimal, Texas at least seems to recognise that it could have been far worse.

There is also reason to believe that more attacks could be on the horizon. The cybercriminal group behind the notorious TRISIS attack has recently been detected probing US electric companies for potential vulnerabilities. The group has a reputation for having a sophisticated understanding of industrial control systems and probing of these companies has made many in the industry nervous. It’s possible that they are in the process of orchestrating a sort of “dry run” for a future attack, and based on what the group was able to do in Saudi Arabia, such an attack could prove severely damaging.

Protecting IoT must be a high priority

If unsecured IoT networks represent such a serious danger to global power security, why don’t utilities and energy companies simply unplug from the network? The answer is quite simply that the pros have outweighed the potential cons for most companies.

Connected technology is everywhere, and it encompasses everything from remote sensors designed to keep employees and facilities safe to remote data gathering devices that can help improve operational efficiency.

Today, nearly half of all energy executives confirm that they have significant IoT deployments and those that don’t tend to be actively exploring their implementation.

Although adoption rates of IoT devices are soaring within the industry, the ability to effectively defend those devices has not kept up. And while it’s tempting to look around and say, “Hey, the lights haven’t gone out – the problem can’t be that bad,” the likely truth is that the primary reason we have not suffered a major attack on our power grid is that cybercriminals know it is much more profitable to direct their efforts toward carrying out fraud and theft. Why attack a power grid and risk enormous backlash from the US government when you can use those same skills to steal money from vulnerable businesses instead?

You could easily argue that the fact that we haven’t had a major downtime event is simply because it isn’t worth cybercriminals’ time or effort, and that is a sobering thought. An equally sobering thought is that this line of thinking only applies to for-profit criminals. In terrorism or cyber warfare scenario, potential attackers will not be dissuaded by lack of financial gain.

So, no, the threat is not overblown. It is clear at this point that the dangers faced by the energy industry are real, and clearer still that those in the industry cannot wait for government or other regulatory bodies to take the lead. Instead, they must take charge of protecting their own networks of devices. In the US, states like Texas and California have taken steps to adopt legislation mandating certain IoT and energy grid protections, and the National Institute of Standards and Technology (NIST), a respected non-regulatory agency within the US Chamber of Commerce, is currently working to develop an industrial IoT security guide for energy companies. Although these are reactive steps, they do help set the right tone, emphasising collaboration and information sharing beyond just the energy industry. Cybersecurity teams have addressed a large number of IoT protection issues in operational technology networks, and many of those solutions can likely be applied to a grid environment.

Responsible energy companies across the globe can also take an important first step by implementing public key infrastructure (PKI), an identity-based security mechanism that cannot be easily compromised and has become increasingly purpose-built and easy to use over time. By deploying certificates to protect connected devices, companies in the energy industry should be able to reduce the potential scope of cyberattacks – and with recent advancements in automation regarding certificate management, this solution should be extremely straightforward to implement.

With cyberattacks on the rise, responsible power grid stewardship is essential

While the global rise in energy and utilityfocused cyberattacks is of serious concern, the increased focus on protecting potentially vulnerable IoT devices is a step in the right direction. Although the global regulatory landscape continues to lag behind, states like Texas have shown a willingness to take the first step toward building a safer future.

Throughout the world, power grids remain an attractive target for many potential attackers, but there are solutions available today for responsible businesses. By establishing a culture of collaboration in the industry and utilising PKI technology, the energy industry can gain greater peace of mind by reducing the likelihood of a major incident in the future.

About Damon Kachur

Damon Kachur is VP of IoT at Sectigo, a global certificate authority and provider of purpose-built and automated PKI management solutions.

With more than 19 years of industry experience, he offers insights about connected device security for multiple industry standards groups and speaks regularly about threat intelligence and best practices in securing connected ecosystems.

About Sectigo

Sectigo provides award-winning purpose-built and automated PKI management solutions to secure websites, connected devices, applications, and digital identities. For more information, visit