Why Utilities Cybersecurity Must Improve and How It Can

Utility companies, like many others, are in a period of rapid digital transformation. This shift is a crucial part of enabling clean energy and boosting grid resiliency, but it also introduces new challenges. Most notably, utilities cybersecurity must improve for these changes to be more helpful than hazardous.

The need for cybersecurity in utilities infrastructure is a recent development but a critical one. Without higher security standards, water, gas and electric companies’ digitization may create more issues than it solves. Conversely, better cybersecurity will enable them to fully capitalize on everything Industry 4.0 has to offer.

The Need for Utilities Cybersecurity

Security concerns are one of the driving factors behind the need for grid modernization, but many utilities don’t fully grasp this urgency. Here’s why cybersecurity has become such a prominent concern so quickly.

Utilities Are Vulnerable

As more utility companies embrace Industry 4.0, more of the nation’s previously air-gapped critical infrastructure is coming online. Internet of things (IoT) connectivity is becoming the standard, with 80% of utilities in 2021 having fully deployed at least one IoT project. That connectivity is great news for reliability and efficiency, but it also increases these organizations’ attack surface.

This physical-cyber convergence means threats like hacking and ransomware can now target power grids, water systems and other critical infrastructure. Because that was previously impossible, many organizations also lack the knowledge and expertise necessary to address these vulnerabilities.

Utility companies may not realize that implementing IoT systems exposes their infrastructure to cyberattacks. If they do, they may not understand what security measures are most effective at preventing and mitigating these attacks. This lack of experience combined with rapid digitization makes utilities ideal targets for cybercriminals.

Utility Cyberattacks Can Be Destructive

This infrastructure’s importance makes the need for utilities cybersecurity more pressing. In addition to being increasingly likely, cyberattacks against these organizations could cause considerable damage.

Several recent incidents highlight these risks. The 2021 Colonial Pipeline attack stole 100 gigabytes worth of data and resulted in one of the U.S.’s largest oil pipelines shutting down for almost a week. This breach was comparatively brief but emphasized how far-reaching these attacks can be. If the cybercriminals had instead taken the system offline themselves, the effects on gas prices and consumer behavior could’ve lasted weeks.

Grid failures like the 2021 Texas ERCOT blackout are another strong warning. This power loss led to more than 50 deaths and $195 billion in property damage. While this specific incident resulted from extreme weather, a cyberattack could have similar effects by taking a power system offline.

How to Improve Utilities Cybersecurity

The need for improved utilities cybersecurity is urgent, but the path forward is clear. Here are some steps the industry can take to prevent destructive cyberattacks in the future.

Education

The first step towards protection is understanding. Utility companies must realize the scope and severity of cybercrime, as well as what may leave them vulnerable to it. When they understand these factors, they can create a more security-centric organizational culture.

Employee training is an important part of this education. The Colonial Pipeline incident resulted from a breached password, which the company could’ve avoided with more thorough security training. All workers should understand best practices like strong password management, the importance of two-factor authentication and how to spot phishing attempts.

This education will minimize risks from human error, which are often the most vulnerable. Once utility companies have achieved that, they can place more trust in their technical defenses.

Segmentation and Access Restrictions

Next, utilities must restrict access permissions as much as possible. The industry must embrace the principle of least privilege, only granting each user, device and application access to what they need to function correctly. These restrictions will prevent lateral movement, ensuring a breach on one account doesn’t jeopardize the entire system.

As part of this movement, critical infrastructure organizations must vet their partners and third parties carefully. Minimizing these outside parties’ access permissions and holding them to higher standards will ensure vulnerabilities on their end don’t spread.

Similarly, utility companies must segment their networks to isolate IoT devices. There were more than 1.5 billion IoT attacks in the first half of 2021 alone, and these endpoints often lack strong built-in security controls. Keeping them on separate networks from critical devices and data will help contain these attacks, minimizing the damage.

Proactive Threat Monitoring

Network monitoring is another essential step in utilities cybersecurity. Given how destructive these attacks can be, critical infrastructure organizations can’t wait to respond to incidents as they occur. They must proactively look for threats to address them as quickly as possible.

Reducing network complexity to enable greater visibility is crucial, as this will help organizations spot potential issues sooner. These companies must also employ automated monitoring tools to find and contain threats, especially those relating to vulnerable IoT endpoints. Automation is faster, more accurate and more scalable than human security response teams, so it’s the ideal solution to address these threats.

Part of this monitoring is staying up-to-date on emerging cybercrime trends. Utilities should regularly share resources and insights with security experts and others in the industry to learn of any new best practices or emerging vulnerabilities to address.

Standards and Regulation

Finally, utility companies must push for more standardization in the industry. Just as IoT standards can make connected devices more secure, standardized technology practices and security steps in the industry can help create more resilient infrastructure.

Utilities frequently rely on each other to adapt to emergency situations, and the same should apply to cybercrime responses. Creating shared standards and regular information sharing will help organizations across the sector set and measure security benchmarks and develop cultures of cybersecurity.

As part of this shift, organizations must also push for increased regulation in the sector. Legislation defining cybersecurity responsibilities and requirements will help guide companies toward a better security posture and hold organizations that fail to meet best practices accountable.

The Nation Needs Better Utilities Cybersecurity

As cyber threats rise, IT security is becoming an increasingly central part of running a business and even national safety. Amid this shift, utilities cybersecurity must become a bigger focus.

Cybercrime is rising, but as it does, awareness of it and of the best practices that address it is too. If the industry can lean into this trend as much as it has into digitization, it can capitalize on Industry 4.0 without fear of endangering end users.