Attacks on critical infrastructure pose a threat to national security. Here’s how to beef up your defenses.
This year, one of the largest electric utility watchdogs in the U.S. issued a troubling assessment. In its annual State of Reliability report, the North American Electric Reliability Corporation (NERC), warned that “geopolitical events, new vulnerabilities, changes in technology, and increasingly bold criminals and hacktivists” had presented serious challenges to the industry in 2021.
Those cybersecurity challenges have not abated. In a recent article about Russian cyberwar targets, one energy company said it had experienced a 40% increase in malicious cyber activity. Other utility companies are now spending precious dollars, not to upgrade their technology, but to pay off ransomware attackers. The same article notes that ransomware activity targeting power companies increased by 170% from 2019 to 2020—and the attacks continue to rise.
But cybercriminals are not always after money. Increasingly, nation-state-backed threat actors are looking to inflict societal damage. These hackers, whether based in Russia, China, North Korea, Iran, or elsewhere, want to make adversaries’ citizens feel vulnerable. They want everyday people to live in fear that one day their local electric, gas, or water utilities might leave them without critical services.
Nation states may also target small utilities for more strategic reasons. Last year, attackers traced to Hong Kong chose small utility targets because of their proximity to major federal dams and transmission lines, navigational locks crucial to steel mill imports, and grid-scale energy-distribution hubs.
Bound by regulators
Even though potential attacks on a nation’s largest utilities garner the most attention, attacks on even the smallest utilities clearly pose a serious threat to U.S. national security. The Biden administration recognized as much when it issued an executive order in April 2021 aimed at securing critical infrastructure from these destabilizing cyberattacks.
But small utilities are in a tough spot. On the one hand, they clearly see the need to make major IT improvements to prevent breaches. On the other hand, being public utilities, they are tightly regulated, especially when it comes to the rates they can charge the public to deliver services.
Securing any organization against hacks costs money. But small utilities often lack the budget to protect themselves and the customers—homes, schools, hospitals, municipal services, and businesses—they serve.
As a result, these utilities must often contend with technology that is too old for modern cyber tools, a persistent lack of trained cybersecurity professionals, and IT staff that must wear many hats.
Municipal-owned utilities and rural cooperatives are at yet another disadvantage because they, unlike large utilities, operate beyond the oversight and protection of NERC, which monitors bulk power system owners, operators, and users andprovides them with access to important resources and information.
Despite having all the cards stacked against them, many smaller utilities are finding ways to digitize their operations, using technologies like smart metering, online payment portals, and cloud computing platforms to protect their operations from cyber threats while meeting the needs of 21st-century customers.
Two steps forward can cause one step back
The bad news about this modernization is that it also draws the attention of threat actors. Once a utility begins to implement more sophisticated systems, it is also more likely to attract the attention of hackers. As soon as a utility gets its employees and customers online, incidences of phishing, ransomware, and denial-of-service attacks appear.
Cybercriminals that focus on small utilities know the intricacies of that market, including employee and customer behavior patterns, and use that knowledge to penetrate security systems. The more they know about how companies in that sector operate, the more they are able to move laterally across the breached network.
Lateral movement allows attackers that first gain access to a single endpoint, perhaps when a utility employee falls for a phishing attack, to move onto new targets within the utility’s environment. Once hackers access one computer, they can scan it for credentials that they can use to access other applications and endpoints. They then use the growing list of credentials to move from device to device, endpoint to endpoint. Soon they are free to implant malware such as ransomware to steal customer information. They can even penetrate digital sensors and cause actual physical damage to machinery.
Build defenses brick by brick
Small utilities can take a few steps to prevent or minimize lateral movement. First, since the technique depends on user and group access permissions, one of the best practices is to limit those approvals by giving users only the permissions they need to do their jobs. Limiting access to other users, groups, and endpoints makes it that much harder for hackers to move around. These may be small steps, but they are within reach for most utilities.
More ambitious measures include installing new servers and security software, training workers, or setting up a security operations center. These steps, of course, could cost millions of dollars and, if you’re a rural utility serving communities that can’t afford more expensive energy bills, they will be a heavy lift. Some state-funded agencies provide cybersecurity training at low or no cost, but most experts agree that more federal aid is needed to bring smaller operations up to speed.
With more federal support, small utilities could begin instituting multiple lines of defense, starting with basic identity and access management to shared applications and networks and multifactor authentication tools.
Personally, I am a big believer in the zero-trust model of network access. Zero trust simply means that endpoints or users are deemed untrustworthy until they are verified. It also requires granting least-privileged access based on who requests access, the context of the request, and the risk level of the environment.
In general, small utilities will be well served to practice the basics of good IT and cybersecurity hygiene. That begins with identifying, inventorying, and monitoring everything on the network: laptops, PCs, tablets, servers, and virtual machines in the cloud. By regularly monitoring these endpoints, in real time all the time, even the smallest of small utilities can go a long way toward being able to quickly detect—and stop—potential vulnerabilities and active threats.