The United States energy and utilities sector is expected to be heavily targeted by adversaries in the remainder of 2023 and into the near future. Already, federal officials are concerned that if China invades Taiwan, it will conduct cyberattacks against U.S. civilians and critical infrastructure. These cyberattacks are anticipated to target the nation’s electric grid, water systems and communications infrastructure, resulting in water contamination, power blackouts and gas supply line cut-offs that directly impact citizens.
Industry officials and federal leaders are well aware of the profound impacts that a security incident within this sector can have. Yet, addressing the industry’s vulnerabilities is quite complex. For starters, energy and utilities organizations are faced with a vast physical scope of distribution lines, physical plants, connectors and substations. Secondly, these organizations are plagued with outdated industrial computer systems that are extremely ingrained into their infrastructure. And it’s not just the energy and utilities companies themselves that are of high concern. Their suppliers and partners play a significant role in critical systems. A study from Deloitte reveals that the number of suppliers and contracted laborers providing expertise and skills has expanded over the years to meet a wide range of industry needs. For example, from 2015 to 2020, Exelon’s supplier pool grew by 18% to 8,000 suppliers. A growing ecosystem means that there are increasing ways for these systems to be penetrated.Emphasis on Cybersecurity Growing
Despite these challenges, providers are placing an increasingly strong emphasis on cybersecurity. CyberGRX predictive data collected from over 6,000 industry organizations unveil that many are implementing controls that protect against nefarious actors. On the other hand, they also lack the necessary controls that could mitigate more substantial risks. The deeper predictive analysis found:
The Opportunities
● 100% of energy and utilities companies are predicted to have Credential Standards in place
● 100% of energy and utilities companies are predicted to conduct Security Awareness Training
● 100% of energy companies and 90% of utilities companies are predicted to have Network Hardening in place
● 97% of energy and 88% of utilities companies are predicted to perform Network Device Hardening
● 69% of energy and 71% of utilities companies are predicted to have Social Engineering Testing policies in place
The Obstacles
● 87% of energy and 99% of utilities companies are predicted to not have a Server Host-Based Firewall in place
● 50% of energy and 88% of utilities companies are predicted to not have a Virtualized Endpoint Host-Based Firewall
● 86% of energy and 90% of utilities companies are predicted to not keep a record of the assets owned and how it is being used
● 83% of energy and 74% of utilities companies are predicted to not perform Penetration Testing
Compromised credentials, phishing attacks and network device hijacking have been common attack methods for decades. However, while these companies have important security controls in place to mitigate these threats, outdated SCADA (supervisory control and data acquisition) systems, present one of the biggest threats to securing the sector at scale.
Antiquated Systems at Risk
First designed and used in the 1960s, SCADA was built to be remotely controlled with admin rights. Today, when merged with IoT and ICS devices and used to underpin miles of infrastructure, it becomes nearly impossible to identify assets under management, not to mention establish new security protections or fix what is broken. These vintage industrial controls, which cannot be upgraded and are located in facilities too vast to be secured, result in a toxic combination. It is with this complication in mind that one can understand more deeply the security challenges faced by energy and utilities companies.
Many of these challenges stem from companies’ unwillingness to go through the cost or effort to leverage host-based security systems when it’s easier, and in some instances just as effective, to use network-based firewalls. While most companies use some form of a network-based firewall, putting a “host” on every system would require significant overhead, especially when organizations do not have a full understanding of all of their assets.
One way to ensure that the critical components integrated into a network are properly secure is to leverage penetration testing. The predicted lack of penetration testing being conducted in the industry is quite concerning. While complicated to implement, and potentially cost-prohibitive at the outset, a robust penetration testing regiment would make a huge difference in being able to expose, and then remediate, SCADA challenges. Additionally, most deficiencies associated with a lack of host-based firewalls can be offset by thorough penetration testing.
Embracing penetration testing as a proactive measure can also expose hidden weaknesses and pave the way for early and effective remediation. By investing in robust testing practices, the industry can fortify its defenses, safeguard vital operations, and ensure a resilient future.
About the author: Shane Hasert, Director of Threat Research & Cyber Security Standards at CyberGRX and ProcessUnity, is a former USAF Network Intelligence Analyst. For over 30 years, Shane has been a privacy and risk management professional.