Modernizing Cybersecurity Practices Within Utilities

The utility industry needs to be prepared to adapt at this time of uncertainty and change, rising prices, and international turmoil. However, it is becoming more challenging to comply with regulations and reduce risks as attacks against the infrastructure we depend on for energy, water, and food are becoming more frequent.

According to IBM, the average cost of data breaches rose to $4.4 million globally, which is a 13% increase from 2020. Skybox Research Lab also observed that organizations with operational technology (OT) environments tend to underestimate the risk of a cyberattack, and that 87% acknowledged that they had experienced at least one breach in the previous 36 months.

The utility industry must protect its critical infrastructure and supply chains as energy production becomes decentralized, more digital, and increasingly decarbonized. That said, regulatory compliance and risk mitigation are more challenging than ever, and vulnerabilities for utility organizations are increasing at an unprecedented rate.

OT Systems in Remote Areas

Although no industry is immune from cyberattacks (Figure 1), utility companies with OT environments are especially at risk. It’s understandable to want to bridge the OT and information technology (IT) gap given that centralizing and unifying remote management while extracting data analytics is equally valuable in boardrooms as it is on the factory floor. However, as a result of closing this gap, access to sensitive data is now possible through internet-connected devices, increasing the attack surface. Three potential issues are brought on by OT systems’ longevity and deployment in remote areas.

1. Locking down both operational technology and information technology systems is of critical importance to today’s utilities and power generators, as access to sensitive data becomes more available through internet-connected devices. Source: Envato Elements

First, it makes software obsolescence more likely. Software obsolescence happens when the developer and a designated third party stop offering regular updates, upgrades, and fixes, or when the target environment, systems, and hardware change, making the software inoperable. Second, it is likely to result in unpatched vulnerabilities because simple patching techniques may need extensive change management procedures due to the possibility of equipment failure or unexpected dangers. Lastly, it leads to a cybersecurity talent gap where specialized IT/OT architecture skills are lacking.

De-Risking IT/OT Convergence

Today’s business executives must get ahead of threats by looking around corners. Complete visibility and end-to-end teamwork are the pinnacles of secure network management, and the only way to navigate remediation complexity. IT and OT teams need solutions that advance a collaborative approach to prioritize critical vulnerabilities, strengthen security resilience, and reduce downtime. Here are five steps to de-risk IT/OT convergence in the utility sector:

■ Establish a mature, reliable, and enterprise-wide security posture management system. Unfortunately, many businesses are having to play catch-up when it comes to their security strategies. Teams spend more money on point solutions to address yesterday’s exploitations. This reactive approach perpetuates a vicious pattern in an attempt to keep up with the ever-changing threat landscape. Organizations should instead concentrate on implementing a mature and standardized enterprise-wide security posture management program. With visibility and context across IT and OT environments, utility leaders may minimize risk exposure by streamlining security planning, deployment, and repair procedures.

■ Implement automated processes to lower the risk of misconfiguration and maintain compliance. In a multivendor environment, the volume and variety of security controls, rules, and policies required make supervision and change management more difficult. Compliance is also a problem if necessary upgrades aren’t implemented. Workflow automation reduces the chance of misconfigurations by removing human errors, streamlining procedures, and including change processes and validation. Teams can also establish globally applied standards and guarantee future compliance.

■ Develop a common understanding among OT, IT, and security. Utilities must have access to a full view of their attack area. Skybox’s recommendation is to apply a network model. This offers visualization of all environments, both in their enterprise-wide context, and with set rules and configurations in mind. An enterprise can execute simulations and evaluations on all devices, vulnerabilities, and configurations when using the network model. Therefore, businesses can use their network model to evaluate the efficacy of security controls. Most importantly, a company also can check configurations and changes, identify and precisely measure their exposure, and assess access compliance with network segmentation regulations.

■ Remove security blind spots and silos. Teams can work together to discover and prioritize crucial vulnerabilities by combining and standardizing data from various devices. If IT teams improve visibility, understand what devices are in scope, how they interact, and what access they have to the environment, they can patch accurately and immediately without interrupting production. Teams can also patch gaps using passive assessment technology, which finds vulnerabilities in restricted network areas. For OT risk teams, having access to both active and passive vulnerability-identifying technology is crucial for gaining quick insights and providing scanless detection.

■ By leveraging remediation options beyond patching, downtime can be reduced. This method enables enterprises to determine the most dangerously exposed vulnerabilities and selects the best way to mitigate these risks. This flexibility is essential, particularly in OT environments with stricter requirements. Teams need a solution for calculating risk scores for assets that considers these four crucial factors—the asset’s measured Common Vulnerability Scoring System (CVSS) severity, asset exploitability, asset importance, and asset exposure based on the security controls and configurations in place throughout the network.

A comprehensive inventory of assets and vulnerabilities spanning IT and OT estates is the key to a successful cybersecurity strategy. The utility industry can achieve complete visibility across the attack surface, including third-party networks, through comprehensive modeling, analytics, and vulnerability detection that is both passive and active. As a result, they will be able to better recognize security threats, take preventative action to address them, and safeguard the most critical assets from vulnerabilities.

—David Anteliz is senior technical director at Skybox Security.