The key cybersecurity challenges facing utilities

Fortinet's Jon McGettigan (utilities)
Fortinet's Jon McGettigan

The utilities sector is one of a handful of critical infrastructure industries. Power generation and delivery, water treatment and provision, and natural gas are integral in the smooth running of society. Utilities encompass services that are not often thought about, however, their absence is noticed instantly, writes Jon McGettigan, senior director regional sales, Australia, New Zealand, and the Pacific Islands, Fortinet.

Around the world, attacks on utilities operators have been increasing. From Stuxnet in 2010 to Triton in 2017 and the recent Colonial Pipeline attack by the DarkSide criminal gang in 2021, cybercriminals are constantly finding new ways to attack critical infrastructure operational technology (OT) systems. 

Related article: CS Energy hit by ransomware attack

Should a blackout occur or water stop running, basic life functions are halted and panic can ensue, potentially leading to civil unrest. A successful cyberattack has the power to bring this grim reality to life and cause widespread destruction, making these critical infrastructure operators a prime target for cybercrime. 

The first step for these attackers is to disable or sabotage the OT that controls the operations through connected devices. This can result in sustained power outages, toxins leaching into water supplies, or even explosions and equipment malfunction leading to injuries and even death. While the older versions of these systems were protected through air-gapping, as technology becomes more connected to the internet and each other, this opens the risk of critical cyberattack. 

Unfortunately protecting these systems from online attacks isn’t as straightforward as protecting corporate IT. Fortinet’s 2021 Networking and Cybersecurity Adoption Index revealed that less than two-thirds (58 per cent) of organisations surveyed had a disciplined adherence to best practices when it comes to cybersecurity. The specialised nature of OT assets makes visibility into the network a challenging first step.

Utility organisations can face several other challenges when it comes to securing OT and other data:

1. Increased complexity

As the utilities industry digitally transforms, previously disconnected systems are being connected for remote monitoring and management, while new systems and capabilities are coming online all the time. This is creating increased complexity in the OT environment, making it harder to achieve full visibility and control over all systems and assets. 

2. New equipment and threats

New equipment is constantly being acquired by operators looking to invest in increased safety and performance. However, as new equipment joins the digital environment, new gateways are created for cyberattacks, unless secured properly. This trend is expected to continue as the industry searches for more environmentally conscious alternatives to current energy and water systems. While these new systems can deliver relatively safe and clean power solutions, they also have the potential to create an environmental hazard if successfully breached by a cyberattacker.

3. Challenges around gaining visibility and control

The long lifespan of OT and its critical functions make replacing an older system before it reaches the end of its life very difficult. But protecting older systems is also a challenge as this technology was never designed to be connected to the internet and can’t usually be patched. While air-gapping made these systems more secure in the past, organisations can’t afford to ignore the significant benefits of connected OT systems.

4. Compliance reporting

Energy companies are subject to a wide array of regulations and standards, from environmental requirements for drilling and refining to regulations for protecting consumer data. Organisations must be able to demonstrate compliance with an array of regulations and standards without redeploying staff from strategic initiatives to prepare audit reports. Failure to demonstrate compliance can not only damage brand reputation but result in substantial fines and penalties.

Related article: Cybersecurity in energy ‘more than just tech’

5. Customer experience

Fuel retailers engage with their customer base through a variety of electronic means, including point-of-sale (POS) infrastructure, mobile applications, and loyalty cards. Securing those interactions is critical for both compliance and maintenance of brand value.

Determining the appropriate cybersecurity controls requires visibility as well as a strategic, overarching plan to address key vulnerabilities. With the government introducing the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) to strengthen the requirements around securing critical infrastructure assets now is the ideal time for utilities operators to prioritise the review of their cybersecurity approach to ensure they can defend their operations.