The aging energy grid is in need of an upgrade. Converging challenges, such as distributed energy resources, electric vehicles and frequent extreme weather events, are pushing our infrastructure—some of which is over a half a century old—to the limit.
As grid modernization efforts move full steam ahead to meet these challenges, security implications are often top of mind for utility executives. While cybersecurity has long been a priority for utilities, several recent factors are intensifying the level of urgency. For instance, there are a number of new compliance and reporting mandates, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).On top of this, geopolitical tensions are significantly raising the risk of cyberattacks against critical infrastructure. Finally, the addition of much-needed technologies such as connected devices makes the grid more complex and challenging to secure.
So, when it comes to cybersecurity, what exactly is keeping utility executives up at night? According to Itron’s 2022 Resourcefulness Report (RIR), utility executives share a range of concerns, such as exposure or loss of enterprise data (47%) and customer data (45%), ransomware (43%), and cloud vulnerability and uncertainty (42%). The fact is, their trepidation is not unfounded. According to Skybox Security, 87% of utilities globally experienced at least one security breach in the past 36 months.
While cybersecurity can feel like a big undertaking, utilities can (and should) address cybersecurity and privacy concerns throughout the grid modernization process. Let’s dive into how.
Why Are Utilities Concerned?
In September 2022, I was personally reminded of the impact of climate disruption during Itron’s customer event in Marco Island, Florida. The island off Southwest Florida is typically a vibrant area filled with tourists, but this time was different. Our team was there right before Hurricane Ian hit, and while all our employees and attendees were thankfully safe, the Category 4 hurricane turned out to be the deadliest to make landfall in the state since 1935. For those in the industry, Hurricane Ian was a stark reminder of why we need to strengthen our grid.
Real-time data is one of our most valuable assets in creating a more resilient and reliable grid. Utility execs agree: nine out of 10 surveyed (93%) view real-time data analytics as very or extremely important. It provides the necessary insights to address utility challenges by improving grid resiliency, leak detection, consumer engagement, and when combined with predictive analytics, prepares utilities for what’s next.
Despite the importance of real-time data and analytics in the grid modernization process, some utilities have been slow to put their greatest asset to use. According to the RIR, nearly one-fifth of utilities equipped with at least some analytics technology aren’t using it. The leading barrier to deployment: data security/privacy. In the face of so many potential security threats, 81% of utility executives say they are extremely or very concerned about ensuring the privacy of customer data. Interestingly, less than half of consumers surveyed (42%) share the same concern.
Connection Between Grid Modernization Efforts and Cybersecurity Concerns
When a utility adds new technologies, it inevitably expands the attack surface. However, when it comes to real-time data analytics technology, it’s not just the added technology that needs to be considered, but also the frequency at which data is collected.
Along with the help of data analytics and opt-in demand response programs, granular information equips utilities to meet surging energy demands and enables end-users to reduce their monthly bill through personalized energy programs. While this data can be used for good, utilities are also aware that this information needs to be protected. There are privacy concerns, as well as the possibility for hackers to use this data to execute successful ransomware attacks—a top concern for utility executives (43%). For example, if a utility collects a meter reading daily and the data is compromised, a hacker can deduce when an end-user is out on vacation. If the frequency of the data collection increases and readings happen every minute, it is possible to get a clearer picture of their daily routine. With such detailed knowledge, a hacker may easily convince an end user that they are a representative of the utility.
Another rising concern is nation-state attacks. According to the U.S. Department of Homeland Security, the “cyberspace has become the most active threat domain in the world and the most dynamic threat to the Homeland.” Moreover, it says, “the interconnectivity of critical infrastructure systems raises the possibility of cyber attacks that cause devastating kinetic and non-kinetic effects.” While these risks are alarming, it is hard for many utilities to focus on such a significant and elusive threat.
During a session at Itron Inspire, David Wollman, Deputy Division Chief, Smart Connected Systems Division, in the Communications Technology Laboratory (CTL) at the National Institute of Standards and Technology (NIST), highlighted this challenge. He noted that while we haven’t seen a real (prevalent) ramp-up in nation-state actor capabilities, the Russian invasion of Ukraine was a reset and a reminder that there is still conflict in the world. While it can seem impossible to defend against nation-state actors, Wollman recommends thinking about “all of the threats that you are worried about. What if you had someone really good that was orchestrating them in ways that were intentional?” When it comes to your cybersecurity program, that thinking “gets you to the next threshold up.”
Another key security concern named by 41% of utilities is a relatively new threat: cryptojacking. Cryptojacking occurs when attackers gain control of utility systems to mine cryptocurrency, and a stealthy threat as many utilities don’t even know they have been hit.
Upleveling Cybersecurity Programs
Cybersecurity plans should have two main goals: preventing attacks from happening in the first place and limiting the damage that can be done if a hacker gets in. While not all-encompassing, I’ll walk through three key steps utilities should take to boost their security posture. These include: mitigating human risk, protecting IT and OT from one another with a robust demilitarized zone (DMZ), and layering on additional defenses to the most vulnerable targeted assets.
Let’s start with mitigating human risk. Hackers are always on the lookout for the weakest link. Today, back-end technology is built with security in mind and consistently being tested, making it difficult (but not impossible) for hackers to infiltrate. In turn, the most significant cybersecurity risk is—and always will be—the end user.
A widely circulated statistic notes that 95% of cybersecurity threats are caused by human error. This is usually a result of a simple phishing or social engineering attack. Remember: a hacker needs just one person to fall for a scam once. In fact, according to IBM’s 2022 Cost of a Data Breach Report, “ransomware and destructive attacks were responsible for more than a quarter of breaches in critical infrastructure industries.”
Standard defenses—multi-factor authentication, role-based access controls, internal audit processes, spam filters, disabling Microsoft Office macros, endpoint detection and response, data loss prevention solutions, etc.— certainly go a long way to making it easier for employees to make the right decisions and more challenging for bad actors to get in. However, employees must be prepared if a hacker bypasses these standard defenses. Security awareness can’t just be viewed as a check in the box; it must be embedded into a company’s culture.
Another key security measure is protecting IT and OT from one another by building a robust DMZ. Internal production networks, for example, should be separated from advanced metering infrastructure. This prevents a hacker from using more traditional hacking methods to get inside a utility’s IT network and then using that access to gain a foothold in the operational side. Plus, added security features such as firewalls and routers help monitor and gate what traffic goes in and out, where it initiates and where it’s allowed to go.
Lastly, it’s important to layer additional defenses onto the most valuable and vulnerable assets. Start this process by establishing a zero-trust architecture. The key is replacing implicit trust of end users with explicit trust—each system or application should determine whether to grant a user access based on identity management and verification processes. Next, apply protocols to verify which devices, applications and users can access networks and systems, as well as add extra levels of protection to the most valuable and vulnerable assets. When exposing any services to the internet, leverage industry best practices by selecting proven and independently-tested and verified technologies.
Finally, once you feel you are at a good place, bring in white hat hackers and third-party penetration testers to point out any weak areas. You’ll likely be surprised by what they uncover.
Grid modernization efforts are a necessity. As a greater number of distributed energy resources need to be managed, electric vehicles hit the road and extreme weather events occur, the grid will no doubt be pushed to its limit. Cybersecurity concerns should not hinder this effort but also can’t be overlooked.
Cybersecurity is an ongoing initiative, and no one tactic is foolproof. Hackers are experts at what they do, and the odds are in their favor. The goal of any utility should be to strengthen the perimeter and prevent hackers from running wild if they manage to infiltrate.When it comes to cybersecurity, there is no time like the present. Now is the time to prepare for cyber threats in a digital world.
—Don Reeves is SVP of Outcomes at Itron, a company that provides management solutions for utilities.