It is a timely discussion: there was recently a data breach at Australian defense contractor Austal, when they were hacked by an unknown rogue agent. The attack involved them being hacked into, emails being stolen, design drawings and blueprints for naval intelligence being taken and more. Earlier this year, U.S. intelligence admitted that their domestic power stations had been the subject of cyberattacks, while a few years back, Ukraine’s power grid was hacked, too. Critical network infrastructure is a legitimate target now, the threat is real, and utilities networks like water, electricity and gas are all at risk.
Where are we now?
The current situation in Australia is that utilities industries have seen the potential on offer with Industrial IoT (IIoT) solutions and are increasingly deploying connected meters and sensors. Sensors give utilities companies access to massive amounts of operational data that they can rationalize with data analytics tools to help them optimize operations and ultimately make their offerings more flexible and more efficient.
IoT-enabled smart meters, for example, enable companies to track energy consumption more accurately and have been forecast to save utility companies as much as $157 billion globally by 2035. But, for all the benefits and potential that IIoT brings to utilities companies, its very nature also presents more risk: the fact that more assets and devices are connected means more potential points of attack for malicious agents. And attacks on industrial targets are becoming more frequent and more costly.
How do you protect utilities against threats?
Begin by asking yourself the right questions. Perhaps the most common-sense approach to security in the IoT era is to assume that it is a case of “when” rather than “if” you will be the victim of an attempted attack.
The Orange dedicated Cyberdefense division has found that security vulnerabilities in industrial organizations tend to cover all the bases, from unsecured firmware and operating systems through no detection tools and outdated anti-virus solutions to no security audits in place. When you are operating something as nationally-critical as a water or electricity network, this situation has to be improved.
So, start from a position of “when” and work backwards. If your utility company is the victim of a breach via a connected device or your central management console, do you have a crisis management plan in place? Have you sat down and evaluated roles and responsibilities, and the associated tools and processes you will need in the event of a breach? They must be clearly defined and understood.
Further to that, as a utilities company, you will have large numbers of IoT assets deployed in the field: how are you managing these assets and maintaining them? Are they individually identifiable via a unique serial number or similar? Who manufactured these devices and did they include any security features on them, and indeed is the manufacturer a partner capable of supporting you in securing these endpoints?
At the network level, do your IoT devices use LoRa, 3G/4G mobile networks, the public Internet, a private network or a combination of all of the above? Is traffic encrypted between devices and management consoles? Can your connectivity of these devices support remote monitoring of devices for health checks and troubleshooting?
There is a myriad of questions that all have relevance to utilities providers in the IoT world.
The right strategy for the right way ahead
Orange Cyberdefense has developed a 5-step process to securing IoT in industrial organizations, tailored to helping utilities companies stay safe.
1. Identify: Identify the critical assets in your utility’s IoT environment, conduct an audit and evaluate potential risks and vulnerabilities. Also, identify any organizational and governance holes that need to be plugged. Questions to ask here are about who owns assets and what risks are potentially present.
2. Protect: Continuously think about raising awareness. Segmentation applies here, too, segmenting your operational technology and information technology (OT/IT) and ensuring back-up and restore solutions are in place and up to date.
3. Detect: Monitor in real time all devices and processes, collecting and correlating data on OT and IT events.
4. Respond: Protect your organization by enacting a crisis management plan, digital forensics, malware analysis and post-incident analysis.
5. Anticipate: Head off potential threats at the pass using threat intelligence, vulnerabilities anticipation and analysis, and ethical hacking to preemptively spot potential weak points.
The right partner for the right approach
Governments are now aware of their role in securing critical network infrastructure like utilities companies: Orange recently agreed a collaboration with CERT NZ, a dedicated New Zealand government cybersecurity unit that supports businesses, organizations and individuals affected by cybersecurity incidents. CERT NZ will aggregate and analyze threat and vulnerability data from Orange, and CERT NZ will in turn advise Orange of threats and vulnerabilities so we can integrate them into our threat intelligence feeds and analysis tools. Partnering with the right specialist really does drive results.
In addition to this world-leading carrier grade expertise, Orange and GHD launched the Intelligent Infrastructure Assets Alliance [iA]2 to help Australasian enterprises in mining, transport, water and smart cities gain instant intelligent insights from their global infrastructure assets. Furthermore, GHD brings extensive SCADA and Operational Security advisory expertise and experience to the partnership.
IoT is here to stay in the utilities world, and with the proliferation of different threats in the world today, it means security has never been more important. According to Gartner, 59 per cent of global utility CIOs said they either have already deployed IoT or have it in short-term planning, while Research and Markets forecasts that by 2020, the size of the global IoT utilities market will be worth nearly $12 billion. Making sure you keep your utility offering secure and protected means asking the right questions, working with the right partners and putting the right measures in place.
Read more about how Orange can help you secure your organization in the face of growing threats.