A Guide to Safely Keeping the Lights On and Gas Running

Oct. 27, 2022
What we must understand about internal cyber threats in the utility industry

The services that make up the energy and utility sectors are vital to America’s function and progress. Virtually every aspect of daily life is reliant on the uninterrupted availability and flow of utility sources, whether it’s electricity, water, or gas.

At the same time, this reliance makes the sector a prime target for malicious actors and cybercriminals looking to exploit the necessity of its supply chain. And even the slightest cyber error can have vast functional ripple effects across society.

Attacks from both insiders and outsiders have turned more insidious. A survey of 1,700 utility companies found that 56 percent had experienced data loss or at least one operational shutdown due to cyberattacks in the last 12 months.

Bad actors target operational technology instead of information technology alone in order to directly disrupt services by controlling power plants, substations, transmission, and distribution networks. Targeting operational technology over information technology leads to more power outages, personal injury, financial, and environmental damage – blurring the lines between cyber and physical attacks.

Companies that do not sufficiently prepare to counter growing cyber threats are facing mounting risks, and the consequences can be devastating. Not only do these attacks cause major service disruptions, they also have the potential to put many lives on the line as close to 2.9 million people are electricity-dependent. Those who rely on electricity for medical and assistive equipment and devices can be put at significant risk in the event of a wide power outage.

Identifying the Threats

Who are the forces most likely to conduct these cyber attacks? According to an analysis of the most prominent cyber threats to the U.S. electric power sector, employees inside the organization were the top bad actors with the most negative impact on an organization. These “insiders” had the highest impact on the destruction of critical infrastructure, reputational damage, threats to life and safety, and regulatory breakdown.

Utility companies have become more susceptible to cyberattacks both at the level of information technology and at the level of operational technology. While security teams in utilities are aware of threats, lack of secured funding, understaffing, and regulatory hurdles have made it difficult to update security measures on legacy infrastructure. Companies have to resort to integrating new operational technology into already-existing IT infrastructures designed without security in mind. Thus, utility companies might be one weak password away from a catastrophic breach.

Last year’s Colonial Pipeline attack, one of the most publicized cyberattacks, all stemmed from one former employee’s compromised password. The East Coast was devastated by a fuel shortage, as Colonial Pipeline accounts for 45% of fuel supplies to the East Coast.

Furthermore, in 2018, a critical water utility company in North Carolina that serves 150,000 people was the target of a cyberattack as it was still reeling from the impact of Hurricane Florence. Onslow Water and Sewer Authority had to move customer-service functions offline and rebuild its databases and computer systems from the ground up.

In late 2021, a small utility company in Colorado was the victim of a suspected ransomware attack that wiped out 90 percent of their internal network functions and corrupted a large portion of their data.

Smaller Utilities Face Bigger Challenges

Municipal utility companies are particularly vulnerable as they are confined to strict budgets and lack cybersecurity training. Furthermore, the energy and utility industry is still reeling from the unprecedented COVID-19 pandemic uptick in cybersecurity attacks. When operations had to move remotely, this exacerbated vulnerabilities along with staff shortages, and cybersecurity staff shortages were no exception.

Cybercriminals routinely look for weakened entry points to infiltrate their targeted company and conduct their attack. Unfortunately, these entry points can sometimes be employees whose organizational knowledge and access are used, either knowingly or unknowingly, against their employer. Fully 85% of all cyberattacks happen because of a human element.

Vulnerabilities can be greatly reduced with the right proactive risk management systems in place that addresses the complexities between cyber threats and human behavior.

When insiders intentionally help breach security, it’s often individuals who are struggling financially or personally to assuage their circumstances. Utility companies can leverage human capital risk management to focus on mitigating potential cyber threats and errors that could arise from at-risk employees. Honing in on circumstantial warning signs can help companies stay ahead of cyberattacks that would compromise internal infrastructural integrity.

With an appropriate and ongoing level of awareness via a company-wide evaluation system, management can remain alert to anomalous behavior or other signs that an employee is experiencing financial or personal stress. These risk factors, among others, may depict whether an employee is susceptible to manipulation or bribery by criminals seeking to steal, harm, or defraud their company.

With municipal utility companies having strict budgets and cybersecurity gaps, it is important for them to put proactive automated measures in place that go beyond manual, intermittent background checks. Being able to identify employee-related risks allows energy sector business leaders to intervene and address these risks with the employee before they snowball into something that could seriously compromise the integrity of the organization.

Utility companies often manage cybersecurity, compliance, and safety independently and have separate policies in place for each; however, the behaviors of individuals can create risks in all of these categories. For instance, the same distracted individual going through tough financial or personal circumstances can wind up on different paths by creating cyber risk and workplace safety issues. For the most optimal solutions to account for every overlapping risk scenario in the workplace, automated controls should be implemented to ensure policies are being followed.

Diligence is a Virtue

Turning a blind eye or not having any visibility of these concerns puts a utility company at greater risk of a security breach, regulatory noncompliance, revenue loss, legal liability, or reputational harm. More importantly, not proactively managing human and cyber threats can put the greater municipality at risk.

In this dynamic environment of evolving threats, the energy sector and utility companies must not only use every tool at their disposal to guard against increasingly savvy and intelligent cyberattacks, but also understand how to synchronize technology, company policy, and best practices into an integrated solution to safeguard information and keep their municipalities in full operation. Implementing automated risk-detecting measures and adopting an active risk mindset are the keys to safely keeping the lights on and the gas running.

About the author: Tom Miller is co-founder and CEO of ClearForce, a cyber and employee risk management company based in Vienna, VA. Tom has more than 25 years of analytic and risk management experience, having consulted for many of the top U.S. banks, published numerous articles, and presented topics at industry events and conferences related to risk management, insider threats, and the application of analytic technology and policy.

About the Author

Tom Miller | co-founder and CEO of ClearForce

Tom Miller is co-founder and CEO of ClearForce, a cyber and employee risk management company based in Vienna, VA. Tom has more than 25 years of analytic and risk management experience, having consulted for many of the top U.S. banks, published numerous articles, and presented topics at industry events and conferences related to risk management, insider threats, and the application of analytic technology and policy.