Without a secure, reliable utilities sector, everything grinds to a halt – industries, businesses, schools, and homes. And because of the impact of the kind of downtime a cybersecurity attack would incur, these companies have become major targets for hackers and malicious organisations. A recent report has shown that 85% of professionals working in the power, renewables, and oil and gas sectors believe a cyberattack is likely and will cause operational shutdowns, with 84% expecting damage to energy infrastructure and assets. This is unsurprising, given the attacks on the US Colonial Pipeline, the Amsterdam-Rotterdam-Antwerp attack, and OPEL and Electrobras. In Australia, we’ve seen cyberattacks increase in this sector over the last year, with CS Energy being the most notable. With that in mind, here are some key challenges and tips on how to overcome cybersecurity risks.
Utilities have a broad attack surface
Utilities must digitise to reduce wastage, compete, increase efficiency, and meet demand. There’s no question about it. But this means creating a bigger surface area for cyber attackers to target, including hitting IoT networks, automation platforms, and data servers. It’s impossible to guarantee 100% safety from attacks, but it is important to prioritise cybersecurity spending on critical elements. You need to know what hackers look for, and the systems they particularly target, and seal up these weak points to effectively manage risk and minimise the attack surface.
Solutions are user-first designed
Putting the user first sounds like a good thing – but not when it leaves IT security on the back burner, as so many solutions do. Investing in technology needs to be balanced with cybersecurity, thoroughly testing systems for vulnerabilities and ‘soaking’ them, the same way you would with physical assets. And these tests need to run frequently, driven by common attack vectors, changes in your network or IT assets, and more.
IT is separate from staff policies
In almost all cyberattacks, hackers target users to get through to your assets. It’s not enough to have an IT policy that you run through once a year. Instead, staff cybersecurity training is needed to close up this gaping vulnerability. After all, no matter how secure and well-run your IT security tech is, one staff member using a poor password or filing in a legitimate-seeming phishing email will let them right inside your walls to do whatever they want. All staff members need to have a high level of cybersecurity awareness that demonstrates what these measures are for and empowers them to keep infrastructure safe.
Unlimited network and data access
Many organisations allow their staff and people on their network access to far more than they require for their role, often just because setting up permissions is complex and time-consuming. But should a user be compromised (internally or by an external threat), they have a much larger entryway into your data and IT infrastructure. The answer is a Zero-Trust approach that groups critical assets behind additional protections and limits user access, rather than one large protective layer that encircles all assets. This way, if a breach is successful, they are limited in the attack scope.
Active monitoring for utilities infrastructure – but not IT networks
Utilities infrastructure is similar to IT infrastructure in many ways, with issues in one area of the system having a more devastating knock-on effect. And for this reason, it’s critical to monitor your IT security and assets the same way you’d monitor physical assets in the field. Network monitoring can be automated, dealing with issues on a rule basis, and sending alerts to supervisors when suspicious activity occurs. It’s proactive IT maintenance and security that keeps your organisation and customers running, the same way your services do.
Cybersecurity is challenging in every sector, but due to the target status and disruption attacks on utilities cause, it’s especially critical that these issues are addressed. Otto is dedicated to making the online space as safe and secure as possible for your employees and organisation. From regular cybersecurity seminars and access to the latest IT security tech to staff training, our IT consulting team in Melbourne covers all of your bases when it comes to cybersecurity solutions and training. Chat to us today about securing your data against internal and external threats.