The next cyber battleground: why utilities must do more to secure critical infrastructure

Utilities are increasingly depending on operational technology (OT) and Internet of Things (IoT) devices to control and monitor critical infrastructure systems — and threat actors have taken notice.

In part because of how far traditional IT security has advanced, attackers have shifted tactics to target paths with less resistance. Innovations in the industry, such as Heimdall’s “magic balls” (drone-installed transmission line monitoring devices), have required increasingly large and heterogeneous device fleets that are not easily secured by traditional infosecurity techniques.

This internet-connected infrastructure, therefore, has become a particularly vast and vulnerable attack surface, and one that utilities have been relatively slow to address.

Critical Infrastructure Under Attack

Utilities — regardless of whether they handle electricity, gas, water or other needs — utilize OT and IoT devices to enable centralized operations and real-time monitoring across remote locations and pipelines.

This critical infrastructure is a target not only for attackers motivated by greed and armed with ransomware tactics, but also for more sophisticated groups backed by nation-states eager to sow disruption at a societal level.

Recent examples point to a clear increase in attacks and risks to critical infrastructure. Last November, the Pittsburgh-based Municipal Water Authority of Aliquippa had a booster station attacked by the Iran-supported Cyber Av3ngers group, which shut down water pressure monitoring devices and forced a shutdown of OT systems. Following the incident, the same method was used in a spree of attacks on other water utilities across the U.S.

Power utilities are similarly ripe targets for attackers. More than 1,600 security incidents affecting power grids in the U.S. and Canada were reported in 2022, with 60 of those causing power outages.

Given their distributed geography and networks, oil and gas utilities are particularly vulnerable. Successful attacks on that infrastructure can also be particularly consequential, resulting in shortages and widespread societal effects. For example, Colonial Pipeline, which supplies 45% of the East Coast’s gasoline, diesel and jet fuel, suffered a particularly noteworthy ransomware attack in May 2021 that locked up IoT sensors. The result was 5,500 miles of shut-down pipeline, fuel shortages, and panic buying in the states affected.

Why OT and IoT Security
Has Been Challenging

Visibility into OT and IoT device traffic — and the capabilities to detect and respond to anomalous behavior in real-time — are crucial to continuous security.

However, in many cases OT or IoT devices cannot tolerate active scanning. Utility security teams must then make judgment calls about their scanning techniques. If they’re able to use active methods such as direct communication with the device, SNMP, or other means of surveying the network, they can benefit from more updated data.

If a device cannot tolerate a scan or is at risk and has zero tolerance for going down, passive traffic analysis is the safest method.

Another issue is that OT devices often represent older technologies and protocols from an era when security wasn’t a top concern. OT protocols, such as SCADA, are a challenge to utility security teams because dedicated attackers can seek out those weaknesses and exploit them to make devices behave in unintended ways.

Also, it’s no coincidence that many attacks on utilities (including those mentioned above) target infrastructure at the periphery, such as remote substations. Remote locations are often the weakest targets for attackers, because centralized management and visibility into what’s happening at a remote site can break down, and the anomalous behavior that signals an active threat can go unnoticed for longer.

Sometimes thin network connections (think LTE) can impede awareness of peripheral attacks. Once attackers have a foothold, the entire system may be at risk.

Optimal OT and IoT-Focused Strategies

To instill an effective OT and IoT security strategy, utilities should begin by taking a full inventory of all OT and IoT devices in all facilities and their network architecture, using discovery tools if possible.

Utility security teams need to transition away from a traditional perimeter security mindset, and strategically focus on monitoring and securing the traffic and data where threats will first appear. The ability to monitor, detect, and address anomalous behavior — at even the most remote outpost of your infrastructure from a centralized location — is essential.

With centralized visibility, inventorying, auditing capabilities, and strong governance in place, it may still be the case that devices with known vulnerabilities nevertheless provide critical functionality. This makes it difficult, or impossible, to simply swap them out.

Risk measurement and prioritization become key. Fortunately, many OT or IoT device vulnerabilities are of no use or interest to attackers, especially when considered in the context of a utility’s particular network and systems. Accurate assessment can therefore optimize remediation of true threats.

Also, considering the practical challenges utilities face in recruiting and retaining talent on their security teams, equipping those individuals with the means to meet their responsibilities efficiently and effectively is a powerful and valuable draw.

Speed Equals Security

Utilities must resist the all-too-common urge to pile OT and IoT risk reduction efforts into giant projects that may never get finished. Attackers love a slow defense. Risk reduction — now — is a tangible benefit. Potential risk reduction later is not.

Linking needed safeguards to large network reconfiguration projects, for example, won’t reduce risk now, or even soon. Adversaries weaponize vulnerabilities faster than ever before, sometimes hours after disclosure.

Time matters, and utilities that introduce effective safeguards for their critical infrastructure as soon as possible will realize outcomes that make them glad they did.