Cybercrime is evolving – as are its targets. While information theft remains the most expensive and fastest-rising consequence of cybercrime, core systems, such as industrial control systems are also being targeted – with increasing frequency.
By Wandile Mcanyana, security lead for Accenture in Africa
The July 25th ransomware attack on the power utility makes it clear that African countries (and utilities) are as much at risk as those in any other region. It’s a wake-up call to executives, regulators, and governments across the continent.
According to research conducted by Accenture, 57% of utility executives globally are concerned with cyberattacks’ potential for disrupting power supplies. Fifty-one percent are concerned with data theft and 31% with the possibility of cyber ransom. More than half believe their countries face at least a moderate likelihood of supply interruption due to cyberattacks within five years.
Both transmission networks as a whole and local distribution grids face threats. Although a typical distribution grid has neither the size of a transmission network nor the same risks of cascading failure, they nonetheless have the same vulnerabilities.
Breaches by a wide range of potential attackers can have devastating impacts along the entire electricity value chain, from generation through to consumers. More importantly, a successful attack has the potential to erode public trust in the utility and raise questions about the security of all devices.
Utilities are at varying stages along the cyber protection maturity curve. Some are working toward compliance with local security standards, while others have already achieved compliance and are working on developing security as a core business capability.
Indeed, compliance alone may not be enough. Utilities need to invest in resilience as well as effective response and recovery capabilities. They need to cultivate the ability to share threats and system irregularities between grid control, security operations, network operations centers and beyond. It’s an outcome that can only be achieved if business silos between IT, OT and system operations are dissolved.
Many distribution utilities still have some way to go in developing cohesive cyber responses. More than 40% of respondents in an Accenture study said that cybersecurity risks were not, or were only partially, integrated into their broader risk management processes.
Yet there are additional actions utilities must consider if they are to achieve improved security. Experience from other sectors, such as financial services and retail, shows that attackers have routinely breached infrastructures considered fully compliant with regulations. The reason is that often, regulation tends to be too generic and lags actual threat intelligence, making it an inadequate benchmark for effective security. Designing and building resilient systems, in which security is embedded, is key.
Are Smart Grids the way forward?
Smart Grids are grids that offer increased intelligence and connectivity between industrial control systems. They aim to drive significant benefits in the form of safety, productivity, improved quality of service and operational efficiency. Yet, there is a fear that the same enhanced connectivity could also create opportunities for cybercriminals to launch attacks.
Indeed, the integration of information technology with operational technology may create the potential for new attack vectors. However, as the recent attack to the power utility proves, electricity grids are already at risk.
The reason is that many utilities use control systems that work on outdated or vulnerable operating systems, sometimes without sufficient processing power to run effective virus scans. A lack of encryption or authorisation on communications channels can also pose a problem.
To effectively defend against cybercrime, smart grids must integrate consolidated, end-to-end IT/OT and physical security into their design. This should be achieved through certificate-based, device-level authentication (where feasible), network protocols that support encryption, application security, network segmentation, security monitoring, incident response, and a hardening process to confirm vulnerabilities are managed in a timely fashion.
The path forward
Globally, utilities must move toward improved resilience and responses to cyberattacks. While the path is not a straight route, several key steps will aid in the move toward robust defense. Among the steps utilities may consider are:
* Investigating platform approaches to cybersecurity. Deregulation has left many small- and medium-size distribution businesses without the resources needed to develop their own cybersecurity capabilities. For such businesses, it may be valuable to find ways to pool resources or look to platform-based models and technology solutions able to address common cybersecurity challenges without needing to build their own internal capability.
* Integrating resilience into asset and process design. Many utilities still operate systems and assets designed before the advent of computers, and certainly before the emergence of cyberattacks. Moving forward, including cybersecurity into asset and process design could make the distribution system more resilient.
* Sharing threat information. Common threats are likely to be faced by distribution businesses. Sharing intelligence and information is a critical activity that could help create situational awareness of the latest threat landscape and how to prepare accordingly.
* Developing cybersecurity management models. Here, each distribution business will need to consider its organisational and operational contexts (top-down versus decentralised, for example) to devise the most effective approaches.
To summarise, today’s cybersecurity demands are increasing – radically. For utilities, mitigating vulnerabilities means going beyond regulatory requirements and considering their entire extended ecosystems end to end. Developing this new capability will require ongoing innovation, a practical approach to scaling and collaboration with expert partners to drive the most value.
A cool head and an openness to change are critical first steps. Otherwise, utilities – and their customers – may be left in the dark.