Utilities have a very unique challenge in the cyber arena. You are not only responsible for keeping up with the evolving threats that plague other organizations, but also keeping people’s lifelines open.
Just look at what is happening in Texas right now. Thousands of people are without power and water in the middle of a storm that the infrastructure isn’t built to deal with. Pipes are bursting. People are suffering.
Electricity, water, gas… these things are what people need to survive. As we’re seeing by the sheer outrage on social media and global news coverage of the Texas storm, the first ones to be blamed are the utilities and cooperatives.
It only gets worse if it’s a cyber incident. Let’s look at an example – the water treatment facility near Tampa.
The state of water and utilities today
Utilities getting hacked have real-life impact
The challenge is that many of these utility organizations have limited resources and budget to implement cybersecurity policies that are needed to protect their systems. When a retail organization has an incident that impacts their sales, people can get annoyed because they can’t buy their shoes. If a power grid gets hacked – it can take people’s living conditions away. Very big difference here.
The backlash that the Tampa treatment center got from the cybersecurity community was staggering. It can seem that since they have a small landscape that cyber isn’t as big of a priority. However, that limited attack surface can cause major damage to people’s lives. It’s important to pay attention to a few key controls which can significantly reduce your risk and potential exposure to attack. First, raise the awareness of the issue and be prepared to do something to improve your state. You cannot just decide your organization is too small and not a target. Cybersecurity awareness, especially at the top levels of the organization – including the Board, is a must if anything is to be done.
What can be done?
Back to Basics
Pay attention to the basics. Make sure you keep all software patched and up to date. If you have old systems in place with outdated operating systems, they do need to be replaced, so that investment is going to be needed but look now to map out how to replace them with updated operation systems that will be patched regularly and provide the needed cyber defense capabilities.
Pay attention to credentials and implement policies that significantly reduce risk. If your systems support MFA, then make sure it is implemented. Use complex passwords for all access especially to critical operational technology and set a policy to change passwords frequently. Separate privileged accounts from accounts used for daily operation – even when used by a single person.
Managing Remote Workers
With more people working from home today, you may need to implement additional controls to ensure only authorized individuals gain remote access. You can see an example of both of these points in the video at the top of the page.
Additional Controls and Policies
Depending on the size of your organization and its associated complexity, you may need to ensure additional controls and policies are in place. These can include the implementation of firewalls, network segmentation, accurate inventory of all IT assets and systems, and the establishment of cyber security training programs for all employees.
It is important to remember, that organizations of any size can and must do what they can to reduce risk and improve their overall cybersecurity state. Focus on the areas that can be implemented quickly and without massive cost – which often can significantly lower risk. This is most critical for utilities due to the nature of the business and the potential impact to the customers they serve.