The utility sector is a complex infrastructure that is made up of a highly engineered network, distribution, power grid, control, and communication technologies. All of this can be subjected to malicious activities like cyberattacks and intrusions by nation-states. Cybersecurity to the utility sector is not a new concern and it has been a growing priority over the years, evidenced by the FBI and Department of Homeland Security (DHS) joint reporting about malicious activity targeting energy-oriented businesses. As such, let’s review the top seven threats impacting the utility sector.
1. Compromises due to overlapping regulatory standards.
-Energy law is complicated, and it sometimes appears to overlap with other statutes and regulations. Despite regulatory standards and fines, Information Sharing and Analysis Center (ISAC) activities and the emerging government laws, like Europe’s General Data Protection Regulation (GDPR), the regulatory standards are associated with lower levels of cybersecurity upkeep. Meaning, the development of these standards and regulations is to help encourage ethical business practices and enforces a baseline level of security, but they are not sufficient to address serious cyber concerns.
-The electric-utility sector, is one of many critical infrastructures that have a mandatory federal regulatory system in place for cybersecurity. Consequently, in the event of a nation-state intrusion, this can create a sense of confusion over indemnity, liability, responsibility for regulations, and insurance (real or perceived risk). In other words, if a malicious act occurs by a nation-state, which is labile to address the issue—the government or the place of operation?
-Regulations may also influence a company to believe that their compliance is a sufficient investment in cybersecurity.
In response to these issues, ISACs has been focusing on bringing key business leaders and stakeholders together to engage in partnerships with the public and private sector.
2. Supply Chain Vulnerability
-Implementing an additional security layer, like protection into a utility’s supply chain management program, is critical. As hackers are targeting easy access points, the end users like third-party suppliers in the supply chain are typically the weakest link. That is because unknown vulnerabilities, such as the use of commercial electronics are less secured and are regularly being exploited.
-This issue is also emerging as a cyber insurance topic. Following this, it is important to continue to develop or improve your third-party risk management program. The more reliability in risk calculations, the more exact insurance premiums will be.
3. Internet-connected critical infrastructure
-There are vulnerabilities in the growth of networks and communications, like in the use of USB thumb drives, PowerShell-based attacks, security software, use of worms to launch malware, and more.
-Many companies operate under the ‘notion’ that their systems are ‘air-gapped’ from the internet. Meaning, a secure computer network is physically isolated from unsecured networks.
-Managing the Internet of Things (IoT) is another great risk because they pose a risk to companies who do not improve their security risk posture.
To combat these issues, it is essential to develop an effective security program that all employees can follow and one that is convenient and easy to implement.
4. Internal Risks
-Lack of knowledge of how to mitigate cybersecurity risk can undermine the ability to safeguard your network and systems. Insider risks can be malicious or accidental in nature. Without internalizing and making cybersecurity a convenient and everyday activity, it is difficult for employees and contractors to protect and manage themselves in a cyber environment.
Creating a culture of cybersecurity awareness cannot be understated, and it is fundamental in protecting organizations. The utility sector should ensure continuous cybersecurity awareness training.
5. External threats
-Threat actors: Nation-states, like Russia, China, and Iran and non-state actors, including foreign terrorist and hacktivist groups pose varying degrees of threats to the energy sector. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before US Congress and revealed that China and other countries could shut down the US power grid. Recently, the FBI and the Department of Homeland Security have formally accused Russia of penetrating the US’ cyber defenses and threatening the state's critical infrastructures. The same malware that brought down Ukraine’s electrical grid in 2015 and 2016, has been identified in US utilities.
In today’s modern, interconnected world, critical infrastructures are prime targets to threat actors and an attack has the potential to harm the US diplomatically, commercially, and economically.
6. Physical Security
-Having the ability to know how to distinguish between a cyber-attack or a physical component failure is important. Understanding and knowing how to identify the exact cause and type of disruption can aide in choosing the right action to accelerate restoration. This is why developing a plan to conduct cybersecurity exercises to explore the integrity of internal cybersecurity practices and identify weak points is needed.
-Also, the best proactive measures are enacted off the basis of advanced research, and cutting-edge technical solutions by providing a definite advantage. This is why in 2006 the Department of Energy joined up to work with the energy sector to develop, research, and advance cybersecurity solutions.
Traditional utility sectors must adapt to survive as the industry moves towards the future, and this includes embracing new methods, regulations, standards, plans, and tools.
7. Shortage of Professional Talent
-Despite being a field that is growing fast and constantly changing, cybersecurity is not attracting the needed talent to fulfill the required positions. By 2020, Frost and Sullivan and ISC predicts that 1.5 million job postings in cybersecurity will be needed. By 2019, ISACA predicts a shortage of 2 million cybersecurity professionals. Yet, it is apparent that not enough people are going into cybersecurity to fulfill this need. ISC's Global Workforce Study revealed that the average age of a cyber professional is 42 years old, male (women only constitute 11 % of the workforce, and 1% of its leadership), has an active security clearance, and has 5 plus years or more of experience.