It is not just electric utilities that need to be cyber aware. Increasingly connected water utilities need to understand the threat landscape too.
As a high-growth, increasingly connected industry, the energy, gas and water utilities market faces a problem of growing vulnerability to cyberattacks. Because of the critical role of water and power infrastructure in our society, in addition to their increasing reliance on connected systems, they are an especially appealing target for multiple attack vectors such as insider, outsider and supply chain attackers.
The attackers have diverse reasons for the attack that vary from state-level attacks to financial and theft motivations. The possibilities for destruction are vast – from gaining access to a wastewater plant and changing settings that could cause contaminated water, to shutting down power for entire cities. A 2018 report by KPMG found that “almost half of power and utility CEOs think a cyberattack on their company is inevitable,” and that “for utility executives, cybersecurity continues to be a top concern as grid modernization potentially opens up the power sector to more vulnerabilities.”
Connected digital devices – such as smart meters, controllers, and sensors – are used by utilities to remotely monitor and control processes and are also easy targets for hackers. For water and electric utilities, smart metering can be a way to drive efficiencies, but it has the potential to compromise the privacy of end-users. And then there is the issue of bad actors both internal and external to an organisation gaining access to the main operational system and causing severe community health issues like flooding or contaminating water sources or turning off power to entire cities.
This can also present a trickle-down impact on the global supply chain by stopping entire nations in their tracks.
What does the threat to utility infrastructure look like currently?
We’ve already seen examples of the danger that cyberattacks can present in a utility setting. In 2018, it was announced that the US electric grid, among many other critical infrastructure organisations, had been targeted and attacked by Russian government hackers going back as far as 2016. Hackers intentionally gained access to power plant and other networks and set up admin accounts with permission to make changes to the system and used these accounts to install malware in the network.
In 2016, Syrian-linked hackers attacked an American water district’s industrial control system (ICS) and “managed to manipulate the system to alter the number of chemicals that went into the water supply.” And as recently as February 2019, a small Colorado water utility was hit by ransomware, causing it to switch IT service providers and alert the FBI. While many attackers are intentionally choosing small, local utilities without the IT resources and budget of larger providers, there is still risk for providers of every size across the industry – a 2015 cyberattack in Ukraine caused power outages for close to a quarter of a million people. These two are just examples of the dozens of other threats, both in the US and globally.
There is also the issue of smart meters and appliances that are serviced by electrical or water management companies being exposed to attack. With their fine-grained data, smart meters and appliances have the potential to compromise the privacy of end-users; for example, they could divulge information about users’ habits, their activity at home, whether or not they’re on vacation, or other important information that could be used in a multi-layer attack.
What’s more, should even one smart meter become compromised through a focused attack or reverse engineering, attackers could potentially access the entire advanced metering infrastructure, allowing them to carry out a macro-level attack of unprecedented scale.
The vulnerability of smart meters highlights a need for device level protection that protects even the most vulnerable edge devices, rather than a network based or over-the-air (OTA) update approach to security. It is crucial that connected utility devices such as ICS, controllers, smart meters, sensors, etc., be hacker-proofed throughout their entire life cycle – starting from the production line, through the supply chain to field operation and remote software updates, until end-of-life. Resilience should be maintained throughout multiple attack vectors: remote and local, outsider and insider, as well as in the chain.
Although many of the bad actors that are targeting this market are external, there is a very likely and large threat coming from the inside in many cases; i.e. internal liaisons that either assist external groups in receiving access or conduct nefarious activity on their own. A 2018 report from IBM’s X-Force Threat Intelligence Index found that insider threats are “the cause of 60% of cyberattacks.” Threats can materialise during manufacturing and within the supply chain of devices such as smart meters and controllers, with the most tangible threat coming from a bribed workforce in the manufacturing and supply chain that loads malicious firmware into a batch of devices, such as smart meters, sensors and controllers.
A new cybersecurity approach for utilities: flash-to-cloud
As cybersecurity concerns mount across utilities, there is a need for a new approach.
Security must be built into a connected device’s hardware, when it is developed and manufactured on the factory floor and extended throughout its lifecycle, so that the ability for an insider or an external group to gain access would be challenged.
We are working with a European power utility company and testing deployment of smart meters that communicate via its PLC (power line communication) network, to automatically receive energy usage and send software updates, calibration, encryption keys and more. But as a preferred target for hackers, smart meters as well as RTUs (remote terminal unit controllers) pose a serious risk, because of their connection to the grid and also because they serve as back doors for a wide range of malicious attacks from external and internal threats.
With this approach, a secure channel is created all the way from flash memory to the cloud, making it impossible for attackers to alter the firmware of these smart meters and RTUs with any malicious code. Only trusted and validated commands and updates, coming from the utility’s data centre, can modify the flash. Reliable alerts and status reporting, coming from the hardware root-of-trust enable a trustworthy outlook, management, and control of the utilities’ smart meters, controllers, sensors and ICSs.
The flash-to-cloud embedded protection guarantees a lifetime defence – from manufacturing and supply chain, to operations and software updates, to end-oflife – regardless of whether the attacker has a network or physical access or is an outside or inside threat.
We have begun partnering with utilities to offer them a solution for IoT cybersecurity.
In November 2019, we announced a partnership with Israel’s national water company, Mekorot, to develop cybersecurity solutions for water and energy utilities in Israel and around the world.
As we look ahead at 2020 and beyond, the threats facing utilities and smart infrastructure will continue to expand as their networks do. It is important for decision-makers to consider new security approaches that offer a device-level, security by design that protects their infrastructure for years to come. SEI
About Nitzan Daube
Nitzan Daube is CTO of NanoLock, where he brings extensive experience in software¸ high-tech business and bridging the gap between marketing¸ project management and engineering. He has worked with companies like Microsoft, National Geographic and Cellepathy in various executive-level software and hardware management capacities.
About NanoLock Security
NanoLock Security provides a security by design solution with a powerful flash-to-cloud defence for IoT and connected edge devices.
NanoLock’s robust solution secures the entire chain of IoT and connected edge devices vulnerability, from deeply embedded endpoints in the device to the cloud, with no additional device costs and zero computing power.