Proactive measures to secure utilities  

Theresa Lanowitz, director, AT&T Cybersecurity, explores the threat of ransomware against utility companies and how they can protect themselves using an offensive cybersecurity strategy

Since the beginning of the year, several cyberattacks have directly impacted the utilities sector. We’ve seen water treatment plants attacked, as well oil pipeline systems. These attacks clearly indicate the dangers that await organisations operating in this sector.  

The online systems of critical infrastructure organisations are valuable targets for hackers, both because of the mass disruption caused when successful and the high ransoms earned in the aftermath - which can spiral into the millions. With the convergence of IT and OT systems, there has been an exponential growth of IoT devices which has heightened the concern over the digital security of these systems. In fact, global management consultancy firm McKinsey states the challenges faced by the utilities sector are unique and not found in other industries, making the situation even more challenging.   

Ransomware is prolific   

There are some within the cybersecurity industry that may have thought the global pandemic would have slowed the number of ransomware attacks, but cyber criminals have shown no mercy, targeting essential services that are heavily relied upon like hospitals, schools and critical national infrastructure (CNI).   

As seen with recent attacks, ransomware was the method used to exploit systems. But why? Because it’s cheap to deploy, has a high success rate and, many organisations that suffer a ransomware attack will likely pay the ransom to avoid having systems down for a significant period of time.   

For those that may lack the expertise or resources to handle the necessary demands of security, seek external services and consultancy advice. Cybersecurity threats like ransomware can no longer be ignored and the latest wave of attacks should be the wake-up call for the utilities sector to take cybersecurity more seriously.   

Offence the best form of defence  

Given that malicious actors are continually evolving their tactics to steal sensitive data, intellectual property and other digital assets, utility companies would benefit from an offensive approach to cybersecurity.  

For instance, by leveraging threat intelligence, organisations can better understand their attackers, their methods, why they are attacking, and what assets they are most likely to focus on. This can help security professionals make decisions based on data-driven insights to prepare, identify and prevent a cyberattack – decisions that can potentially save millions of dollars.  

Business executives can also use threat intelligence to gain insight into business risks, discuss with other team members where to focus attention and, make business decisions regarding where to allocate funding for security purposes. Furthermore, organisations can create and manage their own threat intelligence feeds with the ability to filter potential threats based on specific markets or geographical locations to flag patterns of interest that can be actioned.   

Threat intelligence adds an additional layer of resilience to utilities and is an integral part of understanding the inner workings of networks, systems, processes and applications within the company.   

The importance of risk-based security  

As mentioned, the convergence of IT/OT has now become a reality, with CNI providers utilising technology to reduce overall costs while still being efficient. This has elevated the concept of industry 4.0 with Internet of Things becoming synonymous with this sector. Yet, with the rise of connected devices within these environments, the attack surface has also expanded, putting OT systems in jeopardy.   

Traditional security methods are becoming obsolete, especially for legacy systems within the CNI environments; and this is presenting a challenge for security teams to effectively secure the entire perimeter. A lack of visibility has been highlighted as a key issue as blind spots in the defences are continually being exploited.  

What many fail to realise is technology investment alone will not guarantee total protection against cyberattacks. Businesses and security teams need to look beyond technology and should incorporate risk and resilience into the equation. A step in the right direction involves taking a risk-based approach to security and involves identifying, focusing and prioritising specific areas of risk to remediate. This targeted approach can help security teams focus their attention on the biggest vulnerabilities and issues that can impact the most critical areas of the business instead of spreading themselves thin by trying to fix everything across the entire network.  

By incorporating a risk-based approach that harnesses threat intelligence it will help organisations adjust the balance of their security-risk appetite while having the ability to fully understand their adversaries. There is no one-size-fits-all to cybersecurity, it doesn’t exist. Therefore, business decision-makers and security professionals need to be singing from the same hymn sheet in order to accurately determine security strategy and budget to help the organisation evolve with the ever-changing threat landscape.