In this blog, we review the critical role and strategies of cybersecurity for utilities. We’ll cover how aging infrastructures, remote assets, and ransomware threats highlight the importance of robust cybersecurity measures to safeguard public safety and prevent data breaches or system outages.
Cybersecurity for utilities, particularly in the water and wastewater sectors, is crucial because even a relatively minor breach can expose sensitive data or result in system outages that could threaten public safety. If an attacker can compromise a water or wastewater system, they can effectively hold the municipality hostage because they know how integral these services are for many towns and cities.
The threat landscape has become even more complex in recent years. For instance, attacker groups have been offering ransomware-as-a-service packages, which enable very novice attackers to target sensitive infrastructure, both private and public. Given the increase in attacks from a combination of experienced and new attackers, utilities need to be on high alert.
The Crucial Role of Cybersecurity in Utilities
Aging infrastructure tops the list of utility assets threat actors love to target. Older infrastructure may have been well-built and, therefore, resilient to failure for decades. But this can be a double-edged sword.
Older systems often depend on outdated computing systems. In many cases, hackers have already discovered ways of penetrating these systems’ infrastructures. Since the manufacturer has stopped providing updates, utilities that use them are slow-moving targets for cyber thugs.
Remote assets and those out in the open present additional challenges requiring a robust cybersecurity system. For example, a hacker could intercept the data of an asset that isn’t under your roof, such as a smart water meter, leading to inefficient operations and total system failure.
For instance, if an attacker could position a man-in-the-middle device between a smart water meter and the system that processes its data, they could:
- Steal customer data
- Provide false information to system administrators
- Block system-critical messages, such as those about leaks or water quality sensors
For example, suppose a malicious group wanted to poison the water source of a specific city. By intercepting data from a water quality sensor, hackers could prevent the utility from detecting the attack before it poisons customer water supplies.
Considering such high stakes, let’s examine the most at-risk victims and the nature of the threats that may impact our water systems.
Understanding the Threat Landscape
The Texas town of Hale Center was hit with a series of cyberattacks by several threat actors, some with Russian IP addresses. The hackers had targeted the town’s water supply system, but fortunately, cyber defenses prevented any significant fallout. For some, the Hale Center attack would come as a surprise, especially because the town only has 2,000 residents. But no municipality is off an attacker’s radar.
For example, in another Texas town, Muleshoe, hackers gained control of the water system and caused the tank to overflow.
The Texas attacks highlight a persistent threat: state-sponsored hackers. These get the support of another country whose officials are willing to look the other way as the attackers destabilize American infrastructure. The FBI is currently investigating the Texas breaches, and Iran, China and Russia lead the list of countries where attackers may be launching their assaults.
Regular cybercriminals are also a constant threat. These often try to penetrate utility systems to:
- Establish bragging rights and build their portfolio of successful water cyberattacks
- Develop and test threat packages they can sell to other hackers, including state-sponsored attackers
- Steal customer information that they can sell on the dark web to identify thieves
The water sector faces unique challenges when dealing with these and other attackers. Unlike the financial and health sectors, the water industry doesn’t have reams of preventative legislation to which providers — and those they connect with — must adhere. This makes it easier for attackers to penetrate systems simply because defense mechanisms may vary widely from one utility to another.
Now that we have pinpointed the risks, it’s time to dive into utility cybersecurity solutions that industry leaders can implement to safeguard their systems and the communities they serve.
Strategies for Enhancing Utility Cybersecurity
You can prevent a cyber attack on water systems in your area by taking a proactive approach. Here’s how you can improve utility cybersecurity at a high level.
Commit to Strengthening Your Defenses
This is your most immediate step and involves making key stakeholders aware of the dangers and the benefits of being a step ahead of threat actors. Be sure to emphasize how stronger cybersecurity will make it easier for them to do their jobs, assure voter or stakeholder confidence, or enjoy life with less risk.
For example, the management team of a water utility may be reluctant to undertake a cybersecurity improvement project due to the time and cost involved. To get everyone on the same page, you could outline the effects of a forced outage due to a cyberattack, including the time it would take to mitigate the issue.
Strategize for the Long Term
A long-term investment in cybersecurity measures makes scaling or adjusting your strategy easier as the landscape changes. While a one-off investment may get you a few tools that can help, incorporating cyber defense in your long-term budget will give you access to resources for several years.
For instance, by using a managed security services provider, you get ongoing monitoring, detection, and response services. You also get your own virtual CISO (VCISO), which can continually adjust your security strategy.
Collaborate With Regulatory Bodies and Industry Partners
Others in your industry and regulatory bodies are vested in the cyber safety and resiliency of the water system and other utilities. By bringing several of them to the table, you create a groundswell of support. To build your support network, you could:
- Host and sponsor a webinar about cybersecurity for water and other utilities.
- Start an email newsletter that raises awareness around cyber threats and ways to mitigate them.
- Sponsor a booth at a trade show or industry conference and give out literature, QR codes, and links featuring content around combatting cybersecurity threats in the energy sector and water industry.
While these strategies can serve as the foundation of your cybersecurity approach, you can take specific actions right now to bolster your utility’s defenses.
Actionable Steps for Utility Leaders
Protecting your utility centers in line with the specific risks you face is one actionable step to take. Other proactive steps include limiting who has access to your systems, knowing what these individuals with access do once inside, and developing the right incident response plan.
You can also conduct comprehensive risk assessments. For a utility, as part of your risk assessment, you should:
- Make a list of all the assets you control electronically, whether or not they connect to the internet, an intranet, an internal server, or a single control interface.
- Identify all your internet-facing components, as hackers often look for open ports to implant malware.
- List the different kinds of breaches you may face based on your potential vulnerabilities.
- Calculate the cost of each kind of breach, including the impact of downtime and liabilities associated with exposed customer data.
- Assess the capabilities of your current cybersecurity infrastructure (while there will likely be weak points, you may have some useful tools in place already — for instance, a next-generation firewall protecting a cloud-based management system).
If you’re comfortable with your IT system, you can take these measures on your own. But if you lack the background or time, you can have your IT team or a security expert handle it. Regardless of who handles each task, by taking the above steps, you can significantly reduce your vulnerabilities to cyberattacks against utilities. But the work doesn’t stop here.
Future-Proofing Cybersecurity for Utilities
The key to protecting your utility from threats in the long run is to embrace new technologies and innovative solutions. This applies to both your cybersecurity measures and the tools you use to run your operations. Developers are constantly working to reduce the threat exposure of their clients, so by getting the latest and greatest tech, you can benefit from stronger defenses.
But technology and strategy can only take you so far; you also need to foster a culture of cybersecurity awareness. Educate your staff about the different kinds of cyberattacks and what they look like. Teach them what to do if they suspect an attack and who to contact. This not only gives them the knowledge they need to keep assets safe but also instills in them the peace of mind and confidence they need to do their jobs without stressing out about becoming the next vulnerability.
Finally, if you haven’t already subscribed to content about the evolving threat landscape, now would be a great time to start. You can learn about the newest dangers and best practices to avoid them.
Protect Your Utility From Attackers
There’s a lot on the line for a utility threatened by a cyber attack. The public depends on reliable, safe services, and the operations of businesses, schools, and other institutions hinge on consistent, clean water. For this reason, it’s important to be vigilant and willing to adapt to stay ahead of threat actors.
Cybersecurity for critical infrastructure is vital to everyday life, and it’s up to your organization to help keep it secure. Download our white paper for industry-based tips.
You know you need to protect utilties infrastructure by prioritizing cybersecurity. But do you know where to start? Our Cybersecurity team is ready to help you focus on everything from strategy development to penetration testing. Let’s talk
