From taking a shower, to brewing your coffee, and watching the news, your morning routine is fueled by the energy sector. If you're like millions of other Americans, your TV is connected to the Internet and uses technology generated from the nation's power grid. But the energy sector also underpins our emergency and response systems, our hospitals and healthcare, our schools, our businesses, and virtually everything we do as a society.
The Rising Threat
Unfortunately, the energy sector is of great interest to cyber attackers today. Disruptions to Ukraine’s power system in 2015 and 2016 were attributed to a cyberattack and led to power outages affecting hundreds of thousands of people. The media recently reported attacks on the electricity grids of some European countries. And earlier this year, the first cyberattack on U.S. power grid made headlines.
In the U.S. attack, electrical grid operations in two major populated areas in the country—Los Angeles County in California, and Salt Lake County in Utah were interrupted by a distributed-denial-of-service (DDoS) attack on March 5. While the attack didn’t cause customer outages, or affect the reliability of the grid, it did induce a temporary loss of visibility to the utility's supervisory control and data acquisition (SCADA) system. It’s even possible that the attackers didn’t even know they were targeting a power utility.
But any disruption of critical infrastructure is very alarming, and the March event should be a wake-up call about the importance of ensuring utilities are consistently and effectively protecting themselves against cyberattacks. The March attack demonstrates that at least two utilities were poorly prepared for such an attack. It also makes me fear that few are. To get an idea of how serious this problem might be, a 2015 report by the University of Cambridge Centre for Risk Studies estimated a major grid attack in the U.S. could, under the most severe circumstances, cost up to $1 trillion.
It appears to me that we have the potential for a serious calamity. The SEIA bill passed on June 27th in the Senate could be a good start to isolate and segment the most important control systems of the U.S. power grid in the case of an attack. But government bills and regulations can at best only mandate what organizations should be doing on their own to protect themselves and the people who depend on them. Cyber defense should be part of every power grid’s digital transformation strategy–not only to ensure the power generation and reliability of the grid, but also to protect sensitive or private data.
Best Practices to Secure Critical Infrastructure
Traditional approaches to cybersecurity in the energy sector have been to invest in disparate products and technologies. Historically, IT and OT networks have been completely separate, with separate protections as well as separate groups to manage and control them. Now, OT networks are moving to more standard IP networks, and digital information monitoring is required to meet increasing energy demand, regulatory compliance, and business efficiency requirements.
This new environment calls for a different approach to data security including:
- Access control to make it difficult for cyber criminals to get into systems;
- User access logging that connects to SIEM systems, so system administrators can identify unusual access that indicates a potential attack;
- Encryption key management to ensure the ongoing security of the system; and,
- Encryption (of course), which ensures breached data is unreadable and useless to those who might steal it.
All these measures are considered best practices for data protection.
In today’s digitally transforming world, energy is managed using complex digital technology, and while breaches of consumer data get the headlines, this will change the moment a major U.S. electrical grid is effectively attacked. Because, depending on how widespread and long-lasting an effective disruption might be, it can cause real human pain and suffering.
For more information on Thales’s data encryption technologies, please visit our website to learn about “Advanced Data-at-rest Encryption, Access Control and Data Access Audit Logging.”