The digital transformation of utilities brings with it major challenges for water and energy companies in terms of protecting their operations from cyber-attacks.
In the past, safeguarding assets from unauthorised access was primarily a physical activity. However, our digital world means keeping water treatment works or electricity substations under physical lock and key is no longer enough.
Power utilities must be connected to increase grid efficiencies, improve resilience and ultimately deliver the next generation of services. But with the growing need for cross-sector digital connectivity, cyber security, data integrity and confidentiality will be increasingly important.
The growing number of attacks on the power side have sent shockwaves through the industry, resulting in new regulations to avert crippling attacks on critical energy infrastructure. The challenge is to fully protect operational assets without disrupting operational process, while still allowing third-party access for maintenance purposes.
Threats and security breaches can originate from anywhere; for example, an employee using an USB stick or laptop to download data from an PLC (programmable logic controller) or RTU (remote terminal unit), not realising that the device contains malware. And even if a utility has managed to lock down its own operations, what about the risks posed by third party suppliers, who have no idea that the route to attack could be an insecure on unchecked laptop?
This topic was discussed at length during a recent industry roundtable, supported by Cisco, which I took part in (full report here).
Utility companies are having to change their approach to align with new regulation and the new requirements of the operational communication networks.
First, it is important to identify every device connected to the operational network; this includes older but essential devices running legacy protocols. Understanding the security posture and risk profile of each device ensures they cannot compromise overall security. All new substation devices, for example, will ideally now have an identification process where each device announces itself to the network, using authentication that can be verified by some type of authority to establish trust. The identification of every device is also critical in determining which other devices it can –and should – communicate with.
Second, the ability to control access to the communications network and all devices on it, is critical and is aligned with the identity and posture of these devices. The ability to segment or quarantine rogue devices quickly ensures their impact is minimal. Controlling access to the network also extends to managing third party devices and people, such as contractors. The same policies should be applied for access within a substation/treatment works in addition to remote access via VPNs.
Third, the ability to closely observe and manage the communication network is key. We can now use techniques to monitor infrastructure communications flows, analyse network traffic behaviours and use threat intelligence to identify any suspicious devices or traffic. An example of this would be a temperature measurement sensor sending control commands to a PLC. This type of traffic can only be picked up by in-depth visibility of the network.
These principles and techniques have been used in the IT industry for many years and are now being applied to the operational environment. We need to be mindful that the operational network has a greater focus on availability compared to the IT world at large and as such, some techniques such as automatic remediation are often modified for utilities companies.