6 Steps Utilities Can Take To Improve Cybersecurity

By Mark Carde

With the rise of digitalization in the water industry, utilities must take steps to ensure that their network — and thus public water — is protected from bad actors and outcomes.

Cybercrime is on the rise, and the utility industry has become an increasingly common target. The water and energy sectors play a critical role in U.S. infrastructure, and events such as water or gas shortages, severe weather, and rolling blackouts can give cybercriminals ample opportunity to wreak havoc on utilities and the communities or government agencies they serve.

A recent report¹ found that 94% of global critical infrastructure organizations (e.g., utility providers² and government agencies) face difficulties when implementing cyber-threat detection protocols, multi-factor authentication, and protection and rapid response strategies. In fact, only 37% of U.S. critical infrastructure organizations are utilizing multi-factor authentication, and a mere 29% have implemented zero-trust architecture.³

U.S.-based organizations are no exception. Last year, the FBI received 847,376 complaints⁴ of suspected cybercrime, reaching losses of around $6.9 billion.

How Can Utility Providers Protect Themselves?

There are six main ways that utilities can safeguard themselves from unwanted cyberattacks:

1. Promote and implement security education and awareness within your organization through regular training and protocols.

According to the IBM Cyber Security Intelligence Index Report, 95% of cybersecurity incidents resulted in part due to human error.⁵ Phishing emails and smishing⁶ text messages have dramatically evolved. They now appear more convincing and authentic than before. Even social media platform Snapchat unwittingly fell victim to a phishing⁷ attack in 2016.

Hackers are upping their game and using more creative ways to access sensitive data. That’s why all employees and personnel should understand how to identify and prevent cybersecurity incidents.

2. Learn how to identify and report email or text message scams.

Cybercriminals often use email and text messages to gain access to a company’s digital infrastructure or data.

According to the Federal Trade Commission (FTC),⁸ these messages often appear to be sent by a trusted organization or business, such as a bank, social media platform, online payment app, or even credit card company. The sender may claim they’ve noticed unusual activity linked to an individual’s banking account, include a fraudulent invoice, or request identity verification.

By training employees to approach text or email messages from third parties with a healthy amount of skepticism, utility companies can avoid data breaches, ransomware attacks, disruptions, and more.

3. Use strong passwords.

Teaching employees how to implement strong passwords is the first line of defense against cybercrime. Passwords should include a random combination of letters, numbers, and characters. Employees should also be told to refrain from sharing their account passwords with anyone else.

4. Implement multi-factor authentication.

Multi-factor authentication⁹ requires users to verify their credentials using additional layers of security. This multi-tiered approach adds additional protection to any device, online network, or database. Even if a nefarious third party breaches the first authentication request, it’s unlikely that they’ll successfully gain access to the second. Multi-factor authentication typically asks users to provide answers to personal questions, but entering a second or third password here can add further protection to one’s account.

5. Implement standard tools and technologies that can protect your utility from unwanted cyberattacks.

Because non-U.S.-based hackers often target American businesses, it may be helpful for utilities to block traffic from countries or locations in which they don’t conduct business or offer services. Some cybersecurity experts believe that the biggest digital threats¹⁰ stem from Russia or China, so prohibiting traffic from these areas could help protect your utility from unwanted threats.

Working with remote employees also presents unique challenges. Make sure that all connected devices are managed by your utility. Block unknown devices and ensure that any employees who log in are who they say they are. Certain tools and applications allow remote employees to validate their identities, whether using unique codes or other identifiers like their fingerprints.

It’s also important to adopt a standard — whether it’s protocols set forth by the National Institute of Standards and Technology (NIST),¹¹ ISO, or the PCI Security Standards Council. Implementing processes, controls, and procedures will establish a solid framework. Although these policies may evolve due to changing threats and technology, they create a strong foundation that will protect your utility. These protocols will also guide teams that need direction, helping them move forward productively.

6. Update and modernize Internet of Things (IoT) devices.

The more devices you use, the more risk you take on. This is especially true in the areas of distribution and generation for water, gas, and electric providers. These utilities use many devices that reduce workload and streamline meter readings. All of them are typically network-enabled, making them vulnerable to unwanted third-party access.

Make sure to keep a detailed inventory of all devices. It’s also critical to keep these devices updated and replace them with newer equipment when necessary. Failing to do so can lead to disaster. If hackers infiltrate a network-connected device, they could increase gas or chemical flow in a certain area, causing an explosion that has the potential to harm communities.

Conclusion

New and evolving cybersecurity threats have the potential to cause significant damage to utilities and the communities they serve. How can utilities protect themselves?

Training employees to identify phishing and smishing messages, implementing security measures, and updating network-enabled devices can keep utility providers safe from falling victim to cyberattacks.

References

1. https://www.trellix.com/en-us/assets/docs/tcrr-path-to-cyber-readinesspreparation-perception-and-partnership.pdf
2. https://www.powermag.com/digitalisation-and-cyber-resilience-why-theenergy-and-utilities-sector-is-a-top-target-for-cybercrime
3. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
4. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
5. https://thehackernews.com/2021/02/why-human-error-is-1-cyber-security.html
6. https://www.kcra.com/article/what-is-smishing-police-warn-of-scams-sentvia-text-messages/10366054
7. https://techcrunch.com/2016/02/29/snapchat-employee-data-leaks-outfollowing-phishing-attack/
8. https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
9. https://www.cisa.gov/mfa
10. https://www.cybersixgill.com/blog/chinese-russian-cyber-threats/
11. https://www.nist.gov/cyberframework

About The Author
Mark Carde, CIO, VertexOne (www.vertexone.net), is responsible for overseeing IT infrastructure and information security and works with general counsel on risk and compliance functions. He has more than 33 years of experience in information systems management and has a depth of experience in control objectives for IT, information security (PCI/NIST/ISO), and risk management for IT functions in the energy and utility industry.