The world is currently facing a convergence of various market pressures, ranging from geopolitical tensions to economic uncertainties to environmental concerns. These factors have created a significant level of uncertainty that is affecting businesses and government agencies worldwide. Power and water providers are not exempt from these forces, as they also grapple with challenges such as extreme weather events impacting grid reliability and the integration of distributed energy resources complicating service delivery and load management. To address these issues, many utilities are turning to real-time data analytics, which provide new insights, enhance operational efficiencies, and enable the development of new products and services.
However, as utilities ramp up their data analytics programs, they are encountering a growing number of security threats. While a robust analytics program is essential for their operations, it is equally crucial to address privacy and security concerns to ensure the programs can move forward without compromising the safety and security of both the utilities and their customers. Fortunately, utilities do not need to start from scratch in addressing these challenges. Instead, they must recognize the risks and adopt proven strategies to safeguard their systems and data.
Utilities have increasingly become prime targets for cyberattacks, as statistics and headlines attest to the growing security threats they face. Research conducted by Skybox Security revealed that 87% of utilities have experienced at least one security breach in the past 36 months. One notable example is a malicious attack on a US-based utility, which resulted in a loss of 90% of its internal systems and wiped out 25 years of historical data. Although this incident did not impact customer data or grid operations, it serves as a reminder that utilities of all sizes are susceptible to such attacks. The consequences of a successful breach could be severe, potentially leading to power or water supply disruptions for thousands of residents.
The age of operational technology (OT) is an additional concern for utilities. Much of the OT infrastructure in use today is over 25 years old, making it challenging to update and leaving it vulnerable to exploitation by hackers. Furthermore, many devices that collect real-time data, such as smart thermostats, are third-party technologies that are beyond the direct control of utilities. This combination of an expanded attack surface and limited control increases the overall risk. Additionally, utilities are responsible for safeguarding customer data and are subject to data protection regulations. The Verizon 2022 Data Breach Investigations Report found that customer data accounted for 58% of all data stolen from energy and utility firms in 2021. With utilities now collecting more data than ever, including information that can reveal individuals’ habits, the stakes are even higher.
While financial gain often motivates hackers, the possibility of nation-state attacks is a genuine concern for utilities. Earlier this year, the US Department of Homeland Security issued a Shields Up alert to critical infrastructure providers, warning of potential cyber threats from the heavily sanctioned Russian government. The alert emphasized that every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially pose risks to public safety.
To counter these data security threats, utilities must take proactive measures to strengthen their security posture. Here are five best practices that utilities should prioritize:
1. Strengthen the human perimeter: Creating a culture that places a high priority on security is crucial. Most attacks, even those conducted by nation states, exploit the path of least resistance, which often involves an employee. Implementing standard defenses, such as spam filters and endpoint detection and response systems, will make it more difficult for cybercriminals to reach employees. However, employees must also receive training on identifying and avoiding social engineering and phishing scams.
2. Protect IT and OT from each other: Building a demilitarized zone (DMZ) between IT and OT environments can prevent attackers from using one network as a means to breach the other. This includes adding firewalls and gateways to control data flow between the two networks. Even with a DMZ, utilities should establish backup options to contain infiltrations and maintain operations.
3. Conduct thorough testing for weak points: Utilities can employ third-party penetration and vulnerability testing to identify gaps in their networks before malicious actors exploit them.
4. Layer additional defenses on the most valuable and vulnerable assets: By enhancing the protection of assets that are most likely to be targeted, utilities can reduce the risk of successful breaches. This can be achieved by limiting the number of individuals with access to critical systems and implementing additional security features, such as multifactor authentication.
5. Consider outsourcing or augmenting the security team: Smaller utilities with limited resources may benefit from partnering with external experts who can provide guidance and support in their security journey.
While data security poses significant challenges, utilities must not view it as a mere checkbox on their to-do list. Instead, they must foster a culture of security and implement industry best practices to protect their operations and lessen executives’ concerns about real-time data analytics. These analytics programs are critical for utilities to keep pace with current and future demand. By prioritizing security and adopting the recommended strategies, utilities can navigate the complex landscape of data analytics while safeguarding their systems, customers, and the reliable delivery of essential services.