Experts say that it is not a matter of if, but when, a successful cyber-attack against a utility causes widespread physical damage. There have been a growing number of published vulnerabilities against industrial control systems – over 150 new vulnerabilities were made public in the last year alone. More hacking incidents than ever are also being reported today – there were at least 245 globally against energy organisations in the last year, with many more going unreported.
There is no shortage of malicious individuals out there wanting to cause damage through a cyberattack – from terrorists, to nation-states, to hacktivists. Unfortunately, the methods to do exactly that are readily available on the internet. The risk is real, and the time to act is now, before these attacks make front-page news in the same way we’ve seen similar attacks against government, retail and healthcare industries in the headlines.
“Most industry research shows that in reality most cyber-attacks often take months to discover.”
Unlike a retail company, where the risk of losing customer credit card data and personal information is the primary concern, cyber-attacks against utilities can easily become a safety issue and do more than just cause data loss; a successful cyberattack can cause actual physical harm to people.
Attacks targeting industrial environments could potentially do things like turn off alarms and monitoring systems meant to notify operators about unsafe conditions while reprogramming logic controllers to create dangerous situations such opening a valve or changing a temperature setting. Given these risks, going beyond protecting IT systems from cyberattacks and ensuring the industrial control environment is also protected is critical.
A recent survey by Tripwire of 400 executives and IT professionals in the energy, oil, gas, and utility industries found there is widespread agreement this threat is real. Ninety four per cent of executives responding to the survey agreed their organization is a target of cyber criminals, and 83 per cent of all respondents believed such an attack could cause serious physical damage.
But, experts are also skeptical of some of the survey results. While the majority responding believed their organisation would detect an attack within 24 hours, most industry research shows that in reality most cyber-attacks often take months to discover. Once discovered, the news isn’t much better. ICS-CERT, a team within the US Department of Homeland Security focused on industrial security, has found that in the majority of industrial incidents they respond to the root cause of the incident is never determined due to a lack of monitoring of the affected systems prior to the event.
Utilities are now revisiting their security strategies in light of these risks. Executives looking for best practices and industry standards are finding several emerging options. IEC 62443 (formerly known as ISA 99) provides a series of guidance for bringing security controls to industrial systems that are often lacking those controls today. A newer industry group – The Industrial Internet Consortium (IIC), has also recently started a security working group to address these issues. In the US, NIST just last month published an updated guide to Industrial Control Systems Security – NIST SP-800-82 R2. Regardless of the acronyms and numbers, all of these standards ultimately prescribe the same three things – adding in controls to protect critical systems from attack, putting monitoring in place to detect attacks, and having a plan and process to respond effectively when an attack happens.
Action is taking place in many organisations today. A wastewater treatment plant that came to the conclusion that they are at risk from cyberattacks – the same risk many utilities face – determined that it needs to adopt industry best practices and implement new security controls. This organisation took a first step by adopting parts of IEC 62443 and adding industrial network firewalls to their network. A power transmission and distribution firm recently added a security configuration management system to monitor change on critical systems; the goal of this step was to close cyberattack detection gap and, in addition, prepare to comply with NERC regulations in their US subsidiary.
But is change happening fast enough? A major security incident might prove its not, but in many other industries a major breach acts as a major catalyst for change. Often these mega breaches force attention on security initiatives and shift budget and resources priorities necessary to effectively implement these initiative.
Organisations that are focused on staying ahead of the attacks are investing now in order to avoid being the name in the headlines when major Utility breach happens. While its impossible to predict just how soon an incident like that might come, those who wish harm on Utilities don’t appear to be going away anytime soon nor do the vulnerabilities of the critical systems targeted in these attacks.