It is not just electric utilities that need to be cyber aware. Increasingly connected water utilities need to understand the threat landscape too.
As a high-growth, increasingly connected industry, the energy, gas and water utilities market faces a problem of growing vulnerability to cyberattacks. Because of the critical role of water and power infrastructure in our society, in addition to their increasing reliance on connected systems, they are an especially appealing target for multiple attack vectors such as insider, outsider and supply chain attackers.
This article was originally published in Smart Energy International issue 1-2020. Read the full digimag here or subscribe to receive a print copy here.
The attackers have diverse reasons for the attack that vary from state-level attacks to financial and theft motivations. The possibilities for destruction are vast – from gaining access to a wastewater plant and changing settings that could cause contaminated water, to shutting down power for entire cities. A 2018 report by KPMG found that “almost half of power and utility CEOs think a cyberattack on their company is inevitable,” and that “for utility executives, cybersecurity continues to be a top concern as grid modernization potentially opens up the power sector to more vulnerabilities.”
Connected digital devices – such as smart meters,
controllers, and sensors – are used by utilities to remotely monitor and
control processes and are also easy targets for hackers. For water and electric
utilities, smart metering can be a way to drive efficiencies, but it has the
potential to compromise the privacy of end-users. And then there is the issue
of bad actors both internal and external to an organisation gaining access to
the main operational system and causing severe community health issues like flooding
or contaminating water sources or turning off power to entire cities.
This can also present a trickle-down impact on the global supply
chain by stopping entire nations in their tracks.
What does the threat to utility infrastructure look like
currently?
We’ve already seen examples of the danger that cyberattacks
can present in a utility setting. In 2018, it was announced that the US
electric grid, among many other critical infrastructure organisations, had been
targeted and attacked by Russian government hackers going back as far as 2016.
Hackers intentionally gained access to power plant and other networks and set
up admin accounts with permission to make changes to the system and used these
accounts to install malware in the network.
In 2016, Syrian-linked hackers attacked an American water
district’s industrial control system (ICS) and “managed to manipulate the
system to alter the number of chemicals that went into the water supply.” And
as recently as February 2019, a small Colorado water utility was hit by
ransomware, causing it to switch IT service providers and alert the FBI. While
many attackers are intentionally choosing small, local utilities without the IT
resources and budget of larger providers, there is still risk for providers of
every size across the industry – a 2015 cyberattack in Ukraine caused power
outages for close to a quarter of a million people. These two are just examples
of the dozens of other threats, both in the US and globally.
There is also the issue of smart meters and appliances that
are serviced by electrical or water management companies being exposed to
attack. With their fine-grained data, smart meters and appliances have the
potential to compromise the privacy of end-users; for example, they could
divulge information about users’ habits, their activity at home, whether or not
they’re on vacation, or other important information that could be used in a
multi-layer attack.
What’s more, should even one smart meter become compromised
through a focused attack or reverse engineering, attackers could potentially
access the entire advanced metering infrastructure, allowing them to carry out
a macro-level attack of unprecedented scale.
The vulnerability of smart meters highlights a need for
device level protection that protects even the most vulnerable edge devices,
rather than a network based or over-the-air (OTA) update approach to security.
It is crucial that connected utility devices such as ICS, controllers, smart
meters, sensors, etc., be hacker-proofed throughout their entire life cycle –
starting from the production line, through the supply chain to field operation
and remote software updates, until end-of-life. Resilience should be maintained
throughout multiple attack vectors: remote and local, outsider and insider, as
well as in the chain.
Although many of the bad actors that are targeting this
market are external, there is a very likely and large threat coming from the
inside in many cases; i.e. internal liaisons that either assist external groups
in receiving access or conduct nefarious activity on their own. A 2018 report
from IBM’s X-Force Threat Intelligence Index found that insider threats are
“the cause of 60% of cyberattacks.” Threats can materialise during
manufacturing and within the supply chain of devices such as smart meters and
controllers, with the most tangible threat coming from a bribed workforce in
the manufacturing and supply chain that loads malicious firmware into a batch
of devices, such as smart meters, sensors and controllers.
A new cybersecurity approach for utilities: flash-to-cloud
As cybersecurity concerns mount across utilities, there is a
need for a new approach.
Security must be built into a connected device’s hardware,
when it is developed and manufactured on the factory floor and extended
throughout its lifecycle, so that the ability for an insider or an external
group to gain access would be challenged.
We are working with a European power utility company and
testing deployment of smart meters that communicate via its PLC (power line
communication) network, to automatically receive energy usage and send software
updates, calibration, encryption keys and more. But as a preferred target for
hackers, smart meters as well as RTUs (remote terminal unit controllers) pose a
serious risk, because of their connection to the grid and also because they
serve as back doors for a wide range of malicious attacks from external and
internal threats.
With this approach, a secure channel is created all the way
from flash memory to the cloud, making it impossible for attackers to alter the
firmware of these smart meters and RTUs with any malicious code. Only trusted
and validated commands and updates, coming from the utility’s data centre, can
modify the flash. Reliable alerts and status reporting, coming from the
hardware root-of-trust enable a trustworthy outlook, management, and control of
the utilities’ smart meters, controllers, sensors and ICSs.
The flash-to-cloud embedded protection guarantees a lifetime
defence – from manufacturing and supply chain, to operations and software
updates, to end-oflife – regardless of whether the attacker has a network or
physical access or is an outside or inside threat.
We have begun partnering with utilities to offer them a
solution for IoT cybersecurity.
In November 2019, we announced a partnership with Israel’s
national water company, Mekorot, to develop cybersecurity solutions for water
and energy utilities in Israel and around the world.
As we look ahead at 2020 and beyond, the threats facing
utilities and smart infrastructure will continue to expand as their networks
do. It is important for decision-makers to consider new security approaches
that offer a device-level, security by design that protects their
infrastructure for years to come. SEI
About Nitzan Daube
Nitzan Daube is CTO of NanoLock, where he brings extensive
experience in software¸ high-tech business and bridging the gap between
marketing¸ project management and engineering. He has worked with companies
like Microsoft, National Geographic and Cellepathy in various executive-level
software and hardware management capacities.
About NanoLock
Security
NanoLock Security provides a security by design solution
with a powerful flash-to-cloud defence for IoT and connected edge devices.
NanoLock’s robust solution secures the entire chain of IoT
and connected edge devices vulnerability, from deeply embedded endpoints in the
device to the cloud, with no additional device costs and zero computing power.
