How utilities can help prevent cyberattacks in the age of IoT
Protecting critical national utilities infrastructure
While Industrial Internet of Things (IIoT) technologies enable operational improvements for utilities, they also bring increased cybersecurity risks. Whether initiated by terrorists, cyber hackers or nation state actors, successful attacks can result in devastating consequences. Breaches of nuclear-based power plants and energy grids can affect the provision of energy, while cyberattacks on water facilities can lead to contamination or denial of drinking water. The risks to citizen safety, critical infrastructure, and the environment are alarming. Fundamental IIoT cyber hygiene, augmented with automation and artificial intelligence (AI), is critical to continuity of operations and service delivery for utilities.
Today, utilities leverage IIoT technologies in collecting data to monitor assets, gain operational insights, and improve efficiency and safety. Yet, as IIoT expands, attempts to exploit and gain access to industrial control systems (ICS) networks will continue. The attack surface in an IIoT-enabled environment can range from high-value assets or services to critical workloads in the cloud. It also can include process control systems in cyber-physical systems and critical business, operational, and consumer data. For example, the U.S. Department of Homeland Security (DHS) recently reported that the Dragonfly espionage group accessed Human Machine Interfaces (HMI) that control processes at several North American power generation utilities. While inside the system, the group copied configuration information and gained the potential to sabotage or take control of the facilities.
To better understand the state of IIoT security, the IBM Institute for Business Value (IBV) partnered with Oxford Economics to survey 700 executives from industrial and energy organizations in 18 countries, including 120 from utilities. At the time of the survey, all 700 organizations were implementing IIoT in their operations.
The research confirmed that utilities are early and extensive adopters of IIoT technologies. Respondents say their organizations primarily apply them for alarms, meter reading and real-time equipment monitoring, generating huge volumes of data that move across supervision and control networks.
However, utility executives are apprehensive about the security of their IIoT endpoints. Devices and sensors are cited by 24 percent of respondents as the most vulnerable parts of their IIoT deployments. Utility executives are also concerned that data on these devices and sensors, as well as on gateways, is not adequately protected. Twelve percent of utilities are concerned with the vulnerability of data in the cloud.
On average, the exposure of sensitive data is rated by utilities as the highest impact IIoT-related risk. This includes billing and revenue information (from smart grid and smart metering systems), control systems information, and employee and customer data. Power utilities are more concerned with production disruptions or shutdowns and the resulting damage to their reputations. More than half of all utilities are worried about the potential impact of regulatory violations and damage to equipment.
Why haven’t utilities closed the gap?
Utility companies are clearly aware of the cybersecurity risks, but 70 percent say they have—at most—a moderate understanding of IIoT cybersecurity. Survey results reveal that utilities lack fundamental IIoT cyber hygiene—the organization, technology and processes required to mitigate the risks.
While power utilities have a way to go before their operations can be called “secure,” they do have a better grasp of the security needs of their IIoT deployments and connected cyber-physical systems than water utilities.
Eighteen percent of power utilities have formal IIoT cybersecurity programs to establish, manage and update required IIoT cybersecurity tools, processes and skills, compared to only 2 percent of water utilities.
Our respondents also report being challenged to apply or comply with a plethora of regulations, standards and guidelines. In addition, 39 percent of power and 30 percent of water companies from our survey have industrial production networks and aging infrastructures that are difficult to update. Security was an afterthought for many early generation industrial control system applications, such as the smart grid, and legacy devices were often manufactured with lessened attention to security.
Though power companies’ programs are more mature on average, the IIoT cybersecurity capabilities of both groups are nascent. They face significant challenges that account for the gap between IIoT technology and cybersecurity deployment and prevent comprehensive IIoT cybersecurity.
Talent gap exacerbates technology deficiencies
Although power companies’ programs are more mature on average, the IIoT cybersecurity capabilities of both groups are nascent. They face significant challenges that account for the gap between IIoT technology and cybersecurity deployment, and prevent comprehensive IIoT cybersecurity.
Forty-nine percent of water and 40 percent of power utility executives surveyed are experiencing a cybersecurity talent shortage. In addition, velocity and scale are challenges when defending complex utility infrastructures with numerous IIoT technologies. Our research shows 44 percent of water and 30 percent of power utility executives face such big data challenges.
They struggle to effectively manage, analyze, and apply the data ingested by their security tools to support detection and remediation efforts.
Meet the authors
Steven Dougherty, Energy, Environment and Utilities Business Development Executive, IBM SecurityLisa-Giane Fisher, Leader, Middle East and Africa, and Global Benchmark Research leader, Utilities industry, IBM Institute for Business Value
Mark Holt, Security Business Development Leader, IBM Global Energy, Environment and Utilities
Cristene Gonzalez-Wertz, Global Electronics, Environment, Energy, and Utilities Research Leader, IBM Institute for Business Value
Download report translations
Originally published 30 January 2019