Seven steps for utilities to secure their infrastructure
By Balu Ambady, Sensus
From credit card to social security numbers, much of our personal information is online for the taking. In fact, more than 175 million records were exposed in the first half of 2015, according to the Identity Theft Resource Center. Data breaches can happen to any person or company. The same is true for utilities.
More utilities than ever use advanced metering infrastructure (AMI), a combination of smart meters and communications technology, to gather usage data and other important information. This information helps them conserve energy and water and improve operations and customer service, just to name a few. It is, however, vulnerable to attacks. To be sure that infrastructure and data are protected, utilities must take time to develop a strong security plan for their AMI deployment.
The following seven steps can be used to set up a line of defense:
No. 1: Create a culture of security
A company culture of security has many benefits. It, therefore, is important to get upper-level support for the program. Hackers will have fewer routes into the system if all employees and systems comply with a security policy.
No. 2: Set up simple procedures for network access
Develop a framework of policies that clearly define roles and responsibilities for security management. These policies, supported with step-by-step procedures, should instruct the IT and security teams on setting up layered defense using firewalls, encryption, back-ups and more. This helps protect the organization and address any issues that may arise.
No. 3: Stick with a deployment plan
Proper planning is the key for a smooth and secure AMI deployment. First, assess network security to identify potential threats. Next, implement several of the following technologies to ensure the network has a layered defense:
a. Integrate your network with a demilitarized zone (DMZ). Data center DMZs with dual firewall architecture tightly regulate a network’s traffic activity. AMI servers deployed in a data center should be integrated with existing DMZ to provide an added layer of security.
b. Set up role-based access control. Servers and systems in your network must be controlled with role-based access control (RBAC). This restricts access to authorized users based on their role. For example, users who manage smart meters will access different areas of the network than system administrators.
c. Use multifactor authentication. Use multifactor authentication (MFA) for administrators who require remote access to your system. MFA verifies a user’s identity by requiring multiple methods of authentication. For example, remote users may need a token generated PIN entry code in addition to their username and password.
d. Safeguard with IDS and IPS. Place intrusion detection systems (IDS) and intrusion prevention systems (IPS) at critical ingress and egress points to create a properly secured network. When configuring this technology, make sure that the sufficient auditing and logging are enabled to allow continuous monitoring of the network to detect suspicious activity.
e. Encrypt network. Encrypt messages so that only authorized users can read them. It is important to encrypt all critical traffic in the network to prevent attackers from reading or tampering with information.
f. Require redundancy. Ensure that communication channels have multiple paths or redundancy. This allows continued communication to the head-end system even if one area is down.
g. Secure configuration and patching. Properly configure, patch and harden the operating system, applications and software to prevent intruders from finding ways to attack the systems.
No. 4: Test and re-test before deployment
Before rolling out the AMI network to customers, test and re-test its security. Start with lab testing to ensure no bugs or errors exist. Then, conduct a pilot test with a few hundred endpoints before mass deployment.
Once comfortable with the system’s performance and security during the pilot, increase endpoint deployment until all customers are reached.
No. 5: Don’t forget about maintenance
Security is an ongoing commitment. Schedule monthly updates, patching and maintenance to maximize the investment. For best results, designate an operations team to maintain network security.
No. 6: Get an unbiased opinion
Third-party reviewers and penetration-test vendors can identify weaknesses and areas where security can be improved. In addition to continuous scanning and testing performed by an internal security team, arrange for a third party to conduct one of these tests annually or bi-annually, especially if the system has undergone major changes.
No. 7: Select a partner to help along the way
Perhaps the prospect of securing an AMI network is overwhelming, or an investment in IT, office space or specialized employees is not a viable option. If this is the case, partner with a communications company to host the network. Knowing the network is deployed securely and monitored 24/7 will ensure all data is secure and provide peace of mind.
Customer data is too important to let security fall to the wayside. Before implementing AMI, a utility must have a strong plan to protect its network against cyberattacks.
Balu Ambady is the director of security for Sensus. As an information security leader with more than 20 years of experience, he has expertise in creating advanced security infrastructure and developing security compliance programs. Prior to joining Sensus, Balu served as the director of advanced technology and security for CableLabs where he managed the design and development of video architecture and security. Balu is a Certified Information Systems Security Professional and Certified Information Security Manager.