In most parts of the world, power, water, and waste utility services can be taken for granted. Need to light up a room? Just flip a switch, and you have electricity. Hands need washing? Just turn the faucet, and there’s the water. Sink full of dirty water after scrubbing dishes? Just send it down the drain. No fuss, no hard labor.
It’s easy, right?
Not entirely. There’s a lot of work that has to be done behind the scenes to ensure that we receive the utility services we’ve come to depend on for our own well-being. We need power plants of all kinds – powered by fossil fuels, nuclear fuels, and renewable energies – to produce the electricity we use to control the temperatures of our homes and businesses and to operate the computers, control systems, machinery, and so many other things that improve our lives and support the economy. We need water utilities to provide us with water for drinking, washing, and other vital functions. We need wastewater management to help keep our homes, workplaces, and public spaces clean and protected from disease and contamination. If we want these benefits, we have to hire the people and build the systems needed to run the utilities and keep them in good working order.
Connected solutions provide benefits – but at a cost
Doing so is no easy task. It takes time, effort, and money – and inevitably, as profit and non-profit utilities invest time, energy, and money into their operations, they will always be looking for ways to conserve resources without compromising their service.
Mechanization and digitalization can help, but so can the internet. If utilities install connected information technology (IT) and operational technology (OT) systems and other sophisticated tools such as cloud computing, they can optimize their inputs even as they continue to provide output – that is, services to customers. What’s more, if they take advantage of sophisticated artificial intelligence (AI) solutions that analyze the data that their connected systems collect, they may even be able to optimize their services in ways that offer extra benefits to consumers.
But unfortunately, connection comes with vulnerability. High-tech solutions make power providers vulnerable to cyberattacks, as McKinsey & Company noted last November. Likewise, they represent significant challenges for water and wastewater utilities, as the Water Information Sharing and Analysis Center (WaterISAC) pointed out last December in the wake of the SolarWinds cybersecurity breach.
Download: ICS Visibility Guide [Whitepaper]
In the face of these threats, the U.S. government and European Union (EU) has concluded that utilities warrant protection, since they provide services that are difficult (and hazardous) to live without. Indeed, the Cybersecurity and Infrastructure Security Agency (CISA), a unit of the U.S. Department of Homeland Security (DHS), and the EU’s Directive on security of network and information systems (NISD) numbers power generation, nuclear plants, and water/wastewater among the 16 sectors designated as critical infrastructure.
But what kind of protection?
Protecting critical utilities is a task with inherent challenges
To answer that question, we’ll ask another: What do these utilities need to protect?
The answer to the question is: the OT and IT systems that support the operations of the utilities, along with the equipment and devices managed by these systems. This is no simple matter, since utilities have to operate multiple physical facilities in order to serve customers. Water companies, for example, must maintain reservoirs, collection points, purification facilities, storage tanks, pumping stations, and networks of supply pipes, as well as administrative offices. Similarly, transmission system operators (TSOs) have to keep long-distance transmission lines, substations, connections to both power plants and local distribution lines, transformers, other equipment, and administrative offices running. Meanwhile, utilities of all types usually operate facilities that are scattered across wide geographic areas. And to top it off, their customers expect reliable, 24/7 performance, even in adverse situations such as storms and droughts.
Utilities are, then, operating under conditions that present serious challenges for cybersecurity professionals. They operate multiple physical facilities, each with their own IT networks and industrial control systems (ICS), that are separate from each other. They are responsible for extensive infrastructure systems, some of which are outfitted with Industrial Internet of Things (IIoT) devices.
Additionally, like their counterparts in other sectors, they often rely on OT systems that have inadequate protections and are poorly integrated with IT systems. They may, for example, rely on legacy switch SPAN ports that aren’t secure, reliable, or available. They may lack appropriate traffic aggregation systems or require unidirectional connectivity. They may face different speed or media connections.
In other words, cybersecurity specialists who work for these utilities must be prepared to confront an environment with multiple points of entry for hackers and cybercriminals and varying levels of security among these points of entry.
Threat monitoring needs to happen in real time and with optimum visibility
So what’s the best way to safeguard these complex environments
Obviously, risk reduction is necessary. But for utilities, it’s important to make sure that the risk reduction solutions in use can detect threats in real time and with optimal operational visibility.
The necessity of threat detection is obvious. Security breaches happen, and they have to be identified and confronted. That’s why threat monitoring solutions are designed to detect all kinds of anomalies, ranging from malware to malfunctioning devices to neglected firmware updates. That’s why these solutions operate on a continuous basis, not just intermittently.
But why is real-time capability important? In the case of utilities, it simply isn’t optional. The stakes are too high, given the vital nature of the services involved, to risk interruptions in service. As such, cybersecurity teams need to be able to monitor adverse events as they happen, not later (Moreover, they ought to be ready for those adverse events before they happen, so their security strategy should include practice and preparation – that is, proactive mitigation and predictive attack scenarios).
And why is operational visibility so important? To answer this question, consider the fact that it’s a fundamental best practice in cybersecurity to have a system inventory of all the networked devices and ICS being monitored. That inventory allows cybersecurity teams to determine what facilities are connected to the network and who is active on the network. In turn, visibility solutions give cybersecurity teams a visual representation of that information. As we’ve mentioned before, you can’t secure what you can’t see!
But visibility solutions necessitate the implementation of fundamental best practices in visibility architecture. To achieve that, you’ll need to eliminate blind spots in the network so that ICS security tools can detect threats and anomalies and conduct continuous monitoring. After all, those tools can only do their job if they can carry out complete analyses of packet data visibility – and for that, you’ll need to deploy network TAPs, air-gapped virtual TAPs, and data diodes with your security and infrastructure strategy.
Are you responsible for keeping utility assets secure and unsure of where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
