Utilities have a very unique challenge in the cyber arena. You are not only responsible for keeping up with the evolving threats that plague other organizations, but also keeping people’s lifelines open.
Just look at what is happening in Texas right now. Thousands of people are without power and water in the middle of a storm that the infrastructure isn’t built to deal with. Pipes are bursting. People are suffering.
Electricity, water, gas… these things are what people need to survive. As we’re seeing by the sheer outrage on social media and global news coverage of the Texas storm, the first ones to be blamed are the utilities and cooperatives.
It only gets worse if it’s a cyber incident. Let’s look at an example – the water treatment facility near Tampa.
The state of water and utilities today
There has been a lot of attention in the news recently about the potential breach of the Water Treatment Facility near Tampa, Florida. It raises a major question about the security of similar facilities across the country. The supply of water in the Unites States comes in all shapes and sizes. This is primarily due to the nature of supply for suitable water. These companies aren’t just dealing with living water, they also handle waste water. This means more treatment before delivery.
It will depend on the geography and what water sources are available and what may need to be done to treat the water. There are large organizations that control the supply of water for major metropolitan areas and those organizations will have implemented some measure of cybersecurity controls. However, a large number of organizations that supply water are going to be small and very regionalized. In some cases they only supplying water to a single town or even just a portion of a town. For example, the Water Treatment Facility that was in the news only services 15,000 people.
This is similar in the electric and power industries as well. Many smaller energy companies band together to form co-ops to service different areas. This is why an apartment complex can be without power but the parking lot across the street can have it on. It all depends on where the line falls.
Utilities getting hacked have real-life impact
The challenge is that many of these utility organizations have limited resources and budget to implement cybersecurity policies that are needed to protect their systems. When a retail organization has an incident that impacts their sales, people can get annoyed because they can’t buy their shoes. If a power grid gets hacked – it can take people’s living conditions away. Very big difference here.
The backlash that the Tampa treatment center got from the cybersecurity community was staggering. It can seem that since they have a small landscape that cyber isn’t as big of a priority. However, that limited attack surface can cause major damage to people’s lives. It’s important to pay attention to a few key controls which can significantly reduce your risk and potential exposure to attack. First, raise the awareness of the issue and be prepared to do something to improve your state. You cannot just decide your organization is too small and not a target. Cybersecurity awareness, especially at the top levels of the organization – including the Board, is a must if anything is to be done.
What can be done?
Back to Basics
Pay attention to the basics. Make sure you keep all software patched and up to date. If you have old systems in place with outdated operating systems, they do need to be replaced, so that investment is going to be needed but look now to map out how to replace them with updated operation systems that will be patched regularly and provide the needed cyber defense capabilities.
Pay attention to credentials and implement policies that significantly reduce risk. If your systems support MFA, then make sure it is implemented. Use complex passwords for all access especially to critical operational technology and set a policy to change passwords frequently. Separate privileged accounts from accounts used for daily operation – even when used by a single person.
Managing Remote Workers
With more people working from home today, you may need to implement additional controls to ensure only authorized individuals gain remote access. You can see an example of both of these points in the video at the top of the page.
Additional Controls and Policies
Depending on the size of your organization and its associated complexity, you may need to ensure additional controls and policies are in place. These can include the implementation of firewalls, network segmentation, accurate inventory of all IT assets and systems, and the establishment of cyber security training programs for all employees.
It is important to remember, that organizations of any size can and must do what they can to reduce risk and improve their overall cybersecurity state. Focus on the areas that can be implemented quickly and without massive cost – which often can significantly lower risk. This is most critical for utilities due to the nature of the business and the potential impact to the customers they serve.