Utility companies are responsible for some of the most critical infrastructure in the world. Disruptions to or interference with the supply of water, gas or power can be catastrophic. As the world is becoming exponentially more connected, threats to these infrastructure systems are growing in both number and complexity, especially for electric utilities. Now is the time for companies to prepare for the future and work toward a more secure world by taking proactive measures to secure their systems and the power their customers have come to rely on.
Trouble Behind, Trouble Ahead?
In December 2015, operators at a major Ukrainian power grid lost control of the system to a group of unknown hackers who ultimately gained control of three stations and shut off power for several hours for approximately 225,000 customers. A year later, a Kiev, Ukraine transmission station was attacked by a malicious code (presumably from the same group of hackers) that caused a blackout in the country’s capital, marking the first ever fully-automated grid attack.
As December 2017 rolled around, many security experts and diplomats were left wondering if another attack in Ukraine was imminent, with industrial-cybersecurity firm Dragos noting a spike of activity in the country from the same malicious group. No mention of a specific attack in Ukraine has been reported but, in December, authorities did report an attack against power-plant software that resulted in disruptions at an undisclosed plant.Regardless of where this attack occurred, concerns exist well beyond Ukraine.
Three Simple Steps Toward Cybersecurity
In this game of electronic cat and mouse, there’s no one right answer, but preparing yourself and your systems to be more secure is easier than it might seem.
1. People First-Your first line of defense are those who spend time working with, in, and connected to the system. Keeping critical system information and access on a “need to know” basis is the best place to start. This helps ensure that only necessary relevant parties have access to critical systems. With access criteria established, ongoing training on everything from email and Internet best-practices to system operation can help eliminate human error. Start by training employees to understand the cybersecurity risks that are prevalent and reducing the opportunity for an employee to make mistakes by allowing only access to what is needed to execute job requirements.
2. Remain Diligent – From vendor selection to routine product maintenance, this step is critical because the environment is constantly changing. The best foundation is a formal set of requirements and specifications that covers all third-party products, devices and software. All new products should be evaluated to these specifications and they should be used to verify all supplier claims. Additionally, products should be validated throughout their use to ensure they continue to meet security requirements in a changing vulnerability landscape. Finally, updates and patches should be scheduled and implemented routinely. These updates often fix potential vulnerabilities that have been identified and help to keep your software current.
3. Consider a Third-Party Evaluation-Vendor guarantees are helpful and internal processes and evaluations are necessary, but engaging with an extra set of eyes can offer much needed peace of mind. The certification process for UL’s Cybersecurity Assurance Program was based on UL 2900, Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements. This series of standards verifies vendors’ cybersecurity claims and helps provide added assurance that their products meet industry accepted best practices.
There is currently no single way to provide perfect cybersecurity. As bad actors grow more creative and aggressive, the risks simply continue to grow; however, it’s possible to mitigate some of these issues by remaining committed to the cause. And, when working in a high-target industry such as electric utilities, there’s no time like the present to stay one step ahead.
About the author: Ken Modeste is the principal technical advisor and SME for UL’s cybersecurity program. Previous to UL, Ken served as an engineering manager for GE for 12 years. He began his career as a software engineer for GTech Corporation after completing a Bachelor of Science degree.