utility sector planning for enhanced security, new distributed resources and grid technologies are adding more complexity to the system, which means that keeping security practices up to date will most likely be a continuous job.
“The rise in distributed energy provides a weakness for the existing model of cyber-attacks,” says Andrey Doukhvalov, chief strategy architect and head of future technologies department, Kaspersky Lab. “This is good news. However, the bad news is that in the future the main challenge will be how to provide a trusted source of information from these distributed systems since information flow has to be centralised for effective management. And of course the issue of cybersecurity will now change to the area of trusted information.”
By examining the current cases of cyberattacks, Doukhvalov says it is clear that cybercrime might shift from theft of information to theft of business continuity. “If the bad guys know the price of unplanned outage of a plant or digital substation, they no lo longer then need to steal personal information from bank accounts or money transfers. They just may attack installations and ask for a ransom that is almost equivalent to the cost of an unplanned outage of that particular installation.”
Data from a survey conducted by Ernest and Young (EY) shows that 80% of utility companies have witnessed an increase in external threats, with mobile computing, malware and phishing the most prevalent concerns.
But while they may recognise the threats, only 11% of survey respondents said they felt their current information security measures fully meet their organisation’s needs, 60% are running no or informal threat assessments while 64% believe that their security strategy is not aligned with today’s risk environment.
It is a trend that worries cyber security solutions providers who feel that the scale of threats is not widely understood by industry players and are now calling for a complete change in the approach for securing vulnerable utility infrastructure and systems.
The story of critical infrastructure security is part of a familiar narrative of the clash between old technology and new cyber threats, between government regulation and company motivation, and between cost and security – with security consequences unique to critical infrastructure.
“A large section of the existing utilities infrastructure is old and not resilient enough to withstand the emerging cyber threats,” says Andrey Suvorov, head of critical infrastructure protection business development, Kaspersky Lab.
Suvorov says that a complete change in attitude and approach is required to lessen threat levels, and to boost the security of all attack vectors at any given unit that could be a potential target.
Critical infrastructure systems including the electrical grid and water disbursement are in need of some serious security overhauls to prevent the hacking threats currently impacting
The rise in distributed energy provides a weakness for the existing model of cyberattacks. This is good news. However, the bad news is that in the future the main challenge will be how to provide a trusted source of information from these distributed systems since information flow has to be centralised for effective management. And of course the issue of cybersecurity will now change to the area of trusted information.” Andrey Doukhvalov, Kaspersky Lab.
those sectors, he says.
“What we are witnessing is mostly a reactive approach where companies deploy security solutions only after threats become palpable. But to guarantee high availability, reliability and safety, the entire system must be insulated from current and future threats because attackers are always changing tactics.”
A number of companies tend to give less attention to real possible targets and instead focus on areas such as data, which downplays the very real possibility of cybercriminals taking control of essential resources, says Suvorov.
“With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks, and can have a physical impact in the real world,” Suvorov points out.
“It makes economic sense to make a single investment in a security solution that will protect your infrastructure for many years ahead rather than waiting for a threat to happen and then take action.”
The industrial CyberSecurity expert says that it is important that utilities implement IT security solutions that integrate network, endpoint and malware analysis, threat intelligence and remediation capabilities and don’t just deliver rapid detection and response, but continuous automated incident resolution.
“But most importantly, any solution must take people into consideration, both as strong and weak points in securing a system. People pose a real threat than the processes within a company. Therefore, sensitisation is needed at all levels along with building a robust secure perimeter, based on a layered approach to prevent abuse,” says Suvorov.
In May 2016, ransomware attacked the power and water utility at Lansing, Michigan, USA, resulting in a loss of about $2mn. These, along with several similar hacks appear to have increased utility concern about the security of their power systems.
“The scale, nature and speed of cyber-attacks targeting energy and utilities installations are changing as technology evolves,” says Eugene Kaspersky, CEO of Russian headquartered cybersecurity firm, Kaspersky Lab. “A few years ago, cyber-attacks were restricted to office software. But with increasing vulnerabilities in the software and hardware used in utilities, cyber criminals are now toying with digital industrial networks.”
According to Kaspersky, utility professionals say cyber and physical security is the most pressing concern for their companies with the majority of them stating it is either “important” or “very important” today.
“Today, security issues rank highly among utility concerns right from electric power generation, transmission to distribution, largely due to the distributed energy policy being adopted by utilities across the world,” says Kaspersky.
He says that increased attention to ongoing cyber threats around the world by the media and industry groups is amplifying the genuine concern about security of critical infrastructure.
“Cyber-attacks such as the one in Ukraine are not being treated in isolation by the industry. There is a genuine concern that similar attacks might take place elsewhere,” Kaspersky points out. “And utilities are starting to share vital information on cyber-attacks and threats.”
In fact, the real awakening to the reality of cyber threats in the Middle East is as recent as five years, and this comes at the back of a series of cyberattacks at some of the region’s largest installations.
In a recent report by PWC, 67% of participants said that within the past year, they have had at least one security compromise that led to the loss of confidential information or disruption to operations.
The report also revealed that 47% of the attacks came due to negligence on the part of staff members.
“People must be provided appropriate training to guide them in working on sensitive systems. At the same time, measures should be put in place to restrict movement of unauthorised personnel at the installation,” says Jari Kaija, senior vice president, ABB Group Services
ABB’s Cyber Security Service Monitoring Service powered by ServicePort, identifies, classifies and helps prioritise opportunities to improve the security of a control system. By overseeing the cyber security status of a control system, ServicePort collects system data for comparison against industry best practices and standards to detect
People must be provided appropriate training to guide them in working on sensitive systems. At the same time, measures should be put in place to restrict movement of unauthorised personnel at the installation.” Jari Kaija,ABB
weaknesses within a system’s defence.
“This pinpoints areas that require action to help protect your control system by ensuring it has multiple layers of security. The ABB Cyber Security Monitoring Service is non-invasive, and can be applied to any control system,” points out Kaija.
The reality of cyber-attacks has seen a significant increase in budgets for IT security worldwide with some utility companies creating divisions dedicated to cybersecurity.
General Electric is reported to have so far invested over $1bn into the Industrial Internet and cybersecurity solutions.
GE has acquired Vancouver-based Wurldtech, which specialises in security software that protects big industrial sites used by the energy, chemical, nuclear and manufacturing industries at an undisclosed sum.
Established IT companies are increasing cybersecurity solutions that target the utilities sector, as the industry becomes a clear target for cyber criminals.
“A lot of customers are smart about cybersecurity and most have strong IT security practices. What needs to happen is the operations technology security has to bridge to the IT practices,” says Ganesh Bell, chief digital officer, GE Power.
“The operations side is catching up. The other wrinkle here is the role of the government given that utility cyberattacks can be carried out by state actors. There are a number of private-public initiatives revolving around cybersecurity.”
Microsoft has invested more than $2bn improving smart and cybersecurity solutions for utilities infrastructure.
“In the past, we have seen C-level executives of organisations adopting a very conservative approach to technology adoption. They only view technology in terms of new business models and cost optimisation but often downplaying the real possibility of this same technology being compromised,” says Kaspersky. “We see this changing as due consideration is now being given to the likelihood of cyber-attacks.”
“Another challenge has always been resistance from OT (operational technology) staff who do not want any interference with their existing technology set up. That is why we have based the genealogy of our solutions on passive ways of monitoring which leaves any existing technology set up intact.”
Kaspersky Lab recently signed a Memorandum of Understanding (MoU) with UAE headquartered Injazat Data Systems (Injazat), an industry-recognised market leader for secure data centre and managed services solutions.
The agreement will see the two parties working together to develop a potential partnership in the areas of industrial IT security, cyber defence and other offerings.
As the drive to connect citizens and devices through smart city initiatives gain momentum in the Middle East, the threat of cyber-attacks remains real and its potential to ruin these dreams is inescapable.
This probably explains the growing market for cybersecurity solutions in the region estimated to reach $13.43bn, according to a recent report by Cybersecurity Ventures.
IT security providers and industry analysts concur that any strategies towards achieving a virtual community must prioritise cybersecurity and suppress it at all levels.
A lot of customers are smart about cybersecurity and most have strong IT security practices. What needs to happen is the operations technology security has to bridge to the IT practices. The operations side is catching up.” Ganesh Bell, GE