Utilities are adopting IoT, utilizing cellular networks to connect remote areas, digitizing their operations, and like every other organization accepting remote work of employees as a reality. As utilities are modernizing, they are becoming more vulnerable to cyber-attacks.
On 12th October, 2020, a grid failure in Mumbai resulted in a massive power outage, stopping trains on tracks and bringing the city to a grinding halt, amidst the COVID-19 pandemic and hitting the economic activity hard. Probes indicated that the blackout could have occurred due to unidentified foreign agencies hacking the city’s electrical infrastructure.
Cyber-attacks, including nation-state attacks on energy infrastructure, are escalating. Governments are rising to meet the challenge and mandates to address the problem are on the rise. Advanced technology ensures more efficiency, but utilities need to navigate new technology integration keeping in mind security issues and regulatory compliance. Utilities understand the gravity of the situation and give cyber security the priority it deserves in every business discussion.
There has been a massive increase across the board in cyber attacks in the past year targeting the industrial sector. Adversaries are on the lookout for opportunities involving virtual networks, employee portals, and the proliferating scope of unsecured end-points at the operations side of the business at utilities. ICS (industrial control systems) also known as OT (operations technology) used for controlling and monitoring industrial processes in utilities were designed to be rugged, accessible, and always on, with minimal user maintenance operating in a trusted environment. Moreover, the myth that the ICS or OT network is air-gapped/isolated from the internet and therefore there is not exposed to cyber risks is now busted. As utilities have increasingly adopted digital technologies to improve efficiency and reliability, just not the companies but governments also now suddenly looking at cyber-threats more seriously as serious breaches globally are being reported.
As Mr. Chandan Pradhan, Regional Manager at Trisim Global Solutions, a start-up advising and deploying Cyber Security solutions for both IT and OT networks, said “the increasingly open and complex architecture of utilities has dramatically increased security risks which require more visibility, Also, we need to keep in mind that the networks are as secure as the weakest link in the network which in case of utilities may be HMIs and engineering workstations running legacy operating systems and platforms. To stay ahead of the latest threats affecting critical infrastructure, improving cybersecurity defenses of operational technology (OT) is an immediate need and it is a continuous journey and lapses may lead to reduced system performance and even total operational disruption. Ransom payment, fines for non-compliance may be crippling.”
The cyber-attack surface now includes Industrial Internet-of-Things (IIoT) devices for metering at nearly every building in a utility’s service area, along with many substations that may be unmanned and running autonomously. Along with tamper-proof designs of smart meters, video surveillance for substations, and proper cyber security planning and deploying, trained resources are required to reduce risks to stay on top of potential vulnerabilities affecting assets, operations, and processes. The need for trained cyber security professionals at utilities will increase and the organizations need to beef up recruitment processes to hire expensive and scarce talent in this space.
The sources of attacks may be simply disgruntled OT or IT System Insider using stolen passwords to just hurt the last organization to more sophisticated and planned ransomware attacks wiping hard disks or shutting down entire plants. A nation-state grade attacker may target and break the PKI encryption system where consequences may be equipment damage, lost production, risk to public safety risks, and even possible loss of life.
In the discussion with Trisim Global Solutions, Mr. Sourish Dey, Director, commented that sooner or later utilities in India need to start reaping the benefits of cloud computing and storage as it is more secure while being greener and often more cost-effective if designed properly. Mr. Dey said “Interpretation of regulation and accounting rules which favor CAPEX investments often decide in favor of on-premises systems despite cloud being more secure. At least the customer side of things like billing should make use of the cloud.” As it stands now with widening on-premises IT and OT systems and parallelly ever-escalating attacks Mr. Dey advised that “deploying threat detection and asset visibility solutions as in most cases budget issues restrict bringing entire infrastructure to up-to-date to new security frameworks and standards. But the important factor is that solutions that work for corporate networks are inadequate for OT networks. Leading cyber security companies are partnering with niche organizations to design effective solutions that understand complexities of OT networks.”