Remember Colonial Pipeline? protecting Utilities from cyber attack

This incident is just another example of a trend that experts have been predicting for years: critical infrastructure as a target for cybercrime.

On Thursday, May 6, 2021, the Colonial Pipeline Company, responsible for the longest pipeline infrastructure in the United States for transporting fuel, stopped its operations as a result of a cyberattack. Hundreds of gas stations in different states ran out of product, customers were blocked in mile-long traffic jams, large companies saw their operations being affected severely, fuel prices soared and the President Biden had to declare a State of Emergency to secure supplies across the country.

The Utility sector, with its geographically widely distributed infrastructure and digital assets with old or even obsolete technology, is one of the most vulnerable one.

Besides, the oil and gas sector, attacks on electricity and water infrastructures have been very relevant, such as the one suffered by the Kiev power grid, which plunged 20% of the population into darkness or the one occurred recently at the Odsmar (Florida) water treatment plant, where cybercriminals put the entire population at risk by trying to alter the sodium hydroxide mixture.

Governmental and industry efforts to prevent such incidents are relevant. The European Parliament launched the NIS («Network and Information Security») directive in 2015, that has been revised in November 2020 and seeks to establish a framework to help companies improve resilience and responsiveness to this type of attacks. However, until the regulation applies, companies that manage critical infrastructure, and especially Utilities, must make an individual effort to raise the level of their cybersecurity in the face of increasing risk.ç

Based on our experience working with industrial companies, there are 4 points of improvement that will help Utilities raise their level of cybersecurity:

1. Increase their threat intelligence through CERTs 2.

Utilities need to take a preventive and proactive approach to identifying potential threats. It is not surprising that cybersecurity problems suffered by a Utility are repeated in other similar ones. Thus, it is paramount to have in place the services of one or more CERTs (Computer Emergency Response Team), in order to access to information on early warnings of threats affecting operations. In Spain, there is an association of CSIRTs that groups together the main CERTS services, public or private, regional or sectoral, where companies can contact to obtain these services.

2. Working with «Industrial Internet» providers

Prior to 2010, Utilities’ industrial networks (OT) were traditionally isolated from Intranet and Internet (IT) networks. With the increase of digital technology products directed to improve the monitoring, maintenance and control of OT networks, as well as the market pressure for offering better and faster service to users, has forced the industrial world to «open» avenues of information between IT and OT networks.

In this sense, it is essential for utilities when working with suppliers that understand IT and OT environments in a convergent manner. In one hand, companies do not understand the business models, operation and speed required by the new digital era and on the other hand, the IT world often does not understand the robustness and resilience requirements of the industrial world. The young companies are are the ones that are appling the concept of «Industrial IoT» that is to help or bridge these two worlds (IT/OT) converge in an appropriate and risk-free manner.

3. Certify products, deployments and suppliers against standards such as IEC 62443

As we mentioned previously, «you can’t put gates on the field». Even if a Utility is resilient to new trends, its networks and industrial equipment cannot be isolated for long, or they will not be competitive at all. Assuming that this interconnection is going to happen, the way to make it more cybersecure, is to design and certify your network architectures against new standards that have actually been developed in this new scenario. Of all the possible standards, the IEC 62443 standard seems to be becoming the «de facto» standard to be used by industrial companies to connect their systems outside of a fully trusted environment.

Utilities can run audits that certify their equipment and networks against this standard, thus ensuring that they have an adequate level of security. The standard establishes 4 levels of cybersecurity, which can cover different scenarios depending on the level of criticality of the connected assets.

4. Increase your processing capacity at the «Edge»

There is a false sense in many cases that industrial IoT requires the interconnection of all plants to the cloud to send large amounts of data to be processed by complex Artificial Intelligence or Machine Learning algorithms. For utilities, with their infrastructure scattered over thousands of kilometers, this is a major operational and security challenge.

Therefore, designs in which part of the intelligence and processing are performed in the plant itself, and only the results of the processing are uploaded to the cloud, or those data that require centralized analysis, make sense. These are the so-called hybrid architectures, enabled by the technology called Edge Computing, which Gartner predicts as a confirmed trend. This technology, though still in its infancy, is fast-growing. According to Gartner, as of 2018, about 10 percent of enterprise data was being generated and processed “at the edge”. By 2025, this number is predicted to reach an astounding 75 %.

If you are interested in this article and want to know more about how to securely deploy your IoT project, do contact us.

‍