Standard content for Members only
To continue reading this article, please login to your Utility Week account, Start 14 day trial or Become a member.
If your organisation already has a corporate membership and you haven’t activated it simply follow the register link below. Check here.
Utilities make a tempting target for cyber-criminals. David Higgins explains how suppliers can stay one step ahead of the hackers.
The energy and utilities sector is going through a period of significant change. An abundance of new entrants are leveraging innovative technology – including IoT sensors, smart meters and integrated cloud services – and in doing so disrupting the sector.
Established firms must evolve or they could be left behind. In the UK alone, eight energy companies have collapsed, and 56 new entrants have entered the market in the past year.
As a result, many established suppliers are investing in modern, agile operational approaches and seeking rapidly to incorporate digital technologies into power grids and throughout their supply chains.
This approach also requires modern, proactive cyber-security because many cyber-criminals are targeting these innovations to undermine their benefits.
Target: utilities
The energy and utilities sector is particularly alluring because it’s an integral part of national critical infrastructure. Well-resourced criminal groups seeking financial gain, nation states looking to cause harm or disruption, and even amateurs looking to test their hacking techniques often target it for these reasons.
Against this backdrop, it is alarming that 45 per cent of organisations in the energy sector believe they cannot prevent attackers from breaking into their internal networks every time they try, according to CyberArk’s recent Advanced Global Threat Landscape study.
Many still rely on old “air-gapping” security techniques to secure their networks. Industrial control systems, for example, are often isolated from power grids and other networks using this technique to protect them from attacks.
These techniques have proven ineffective in the past, however. In 2010, the Stuxnet malware was discovered to have jumped an air gap and compromised nearly a fifth of Iran’s nuclear centrifuges, causing significant setbacks. The Stuxnet malware was later found to have initially been developed by the US and Israel in their attempts to cripple the Iranian nuclear programme, but subsequently adapted by hackers to meet their needs. Indeed, hacking air-gapped systems is well within the realm of advanced attackers.
Critically important
Given the critical nature of power grids and utility infrastructure, operational systems in this sector must be able to survive a cyber- incident while sustaining critical functions. Real-time operations are imperative, and any downtime must be avoided at all costs.
Hackers looking to cause large-scale disruption often aim to bring down the power grid and its associated operating systems by interrupting the high reliability and availability of utilities’ infrastructure. They do so in part by gaining access to privileged accounts with access to – and control over – sensitive data or critical systems. When used, these accounts permit entry to assets such as operator workstations that facilitate automated processes, maintain systems, modify process parameters, and store historical data and other important operations.
Malicious intent
When used maliciously, these accounts can be used to gain unauthorised access to IT systems and cause irreparable damage. Recently, Russian military officials were indicted by the US Department of Justice for hacking-related charges relating to an alleged attempt to steal the privileged access credentials of Westinghouse Electric employees involved in nuclear reactor development. If it had been successful, this attack would have had disastrous consequences, because sensitive information pertaining to national security could have fallen into the wrong hands.
According to our research, an overwhelming 82 per cent of energy/utilities organisations agree that they won’t be fully protected until the privileged accounts that are part of the control systems are secure. Companies must proactively secure, control and monitor their use to reduce the risk of costly, disruptive damage to infrastructure.
Energy and utilities organisations seeking to proactively reduce the risk attackers pose to privileged access must first identify the potential weaknesses and vulnerabilities in their existing approach securing this pathway. That means identifying the credentials, information and secrets associated with their most important privileged accounts, and how they might be at risk.
Once this has been done, a “clean up” of these weaknesses and potential vulnerabilities can be undertaken, with security and management controls put in place to prevent the escalation and abuse of privilege.
However, this can’t be a one-off task – organisations must ensure continuous reassessment and improvement in privileged access hygiene to address the constantly changing threat environment.
The unique nature of organisations in the energy and utilities sector, which comprises many public and private providers, presents cyber-security decision-makers with challenges that are not faced in most of the rest of the business world.
Irreparable damage
As cyber-risks have proliferated, government and the private sector have increased spending on cyber-security operations and maintenance, understanding the irreparable damage such attacks can cause.
The widespread implementation of the appropriate cyber-security techniques, however, is still some way off. By implementing privileged access management policies as part of a larger zero trust approach, firms in the utilities and energy sector can mitigate the risk of malware spreading from its initial infection point while maintaining the integrity of their crucial operating systems.
Please login or Register to leave a comment.