Critical infrastructure has faced a barrage of cyberthreats in recent years - 2000% increase. According to a recent survey by Siemens and the Ponemon Institute utility, 56% of the utility network operators worldwide reported at least one shutdown or operational data loss per year and 54% expected an attack in the coming year.
Although, recent security incidents have targeted water plants like the one in Oldsmar, Florida and pipeline operators Colonial Pipeline, utilities that manage the transmission and distribution of electricity have been under sustained attack in the past few years: up to a quarter of North American electric utilities were affected by the massive SolarWinds vulnerability from last year, according to the North American Electric Reliability Corp (NERC), a non-profit industry regulator.
As industrial systems become more connected, they also become more exposed to vulnerabilities. These connected systems increase the attack surface for industrial organizations by increasing the number of sensitive systems online. All access to these systems must be securely protected as malicious actors are consistently attacking and finding weak spots to execute their attack plans.
Here are three fundamental approaches that every utility organization needs to consider to protect critical infrastructure environments from cyberthreats:
Securing remote access to critical systems is critical. Utilities organizations need to truly embrace zero trust security framework across the OT Network i.e. network segmentation, privileged access management, identity management and login via passwordless MFA to stop credential theft.
Maintain a vulnerability management program that is OT specific. Trying to solve OT challenges with traditional IT security approaches is not feasible and it will not yield the expected risk mitigation.
Maintain compensating controls in the OT zones where industrial machinery (levels 0 and 1 of the Purdue Model) at an electricity substation or factory floor do not operate on traditional ethernet networks, have weak to non-existent authentication mechanisms and are traditionally segregated from any cyber-physical connectivity.
All industrial operations are at risk of cyber threats and utility organizations need to recognize that future attacks are a matter of ‘when’ rather than ‘if’. An efficient way to address the highest risk factors for catastrophic and dangerous incidents is to perform risk assessment based on accepted global frameworks such as NIST CSF and aligned to ISA/IEC 62443 and NERC-CIP standards.
With a well defined risk management approach and effective access controls leveraging identity and privileged access management solutions, utility organizations can increase OT security posture and address the most prevalent identity-related weaknesses and risks identified by CISA.