Like many large and small businesses, utility companies are continuing to invest in the ever-growing digital world. There’s one issue, however, that they face on a daily basis – securing critical infrastructure. This is because more of their systems are starting to become interconnected, making it easier for utility companies to control multiple points with fewer people onsite. It also makes them vulnerable to hackers. That’s why Q-Net Security is sharing more information on which issues utility companies face in cybersecurity below:
While a typical business has just one building that needs to be protected from cyberattacks, utility companies have multiple generation and distribution sites to protect. Energy for homes, businesses, and substations no longer comes from one central location; it now comes from multiple sources like windmills, dams, and coal plants. Since major intersections of their grids have sensors and control computers holding them together, they need all of their connections to be secure – especially if they want to control them remotely.
In 2019, a study was released by Siemens and the Ponemon Institute on the increasing threat of cyberattacks on utilities. In total, 1,726 utility professionals (all of whom work in OT) provided “self-assessments on key areas of their company’s technical and corporate readiness to address the increasing threat of cyberattacks.” After finding common blind spots industry wide, their goal was to raise awareness for utility leaders surrounding risk, readiness, and solutions.
The study goes on to explain that cyberattacks are now targeted more toward OT than IT. Hackers’ goals have shifted from stealing data to commandeering machinery and creating outages by damaging physical property. In fact, more than half of the respondents reported at least one attack in the previous year and expected another to occur within the following year. What motivates hackers? Siemens and the Ponemon Institute believe that “nation-states and other malicious actors have an interest in developing cyber weapons that target utilities” since utilities are important to our daily lives.
They also believe that readiness is not even throughout the utility industry. Those who have fewer than 5,000 employees are especially less confident to deal with cybersecurity threats. Unfortunately, not all utilities are able to properly identify threats or even respond quickly enough to stop them. It doesn’t help either that “people with appropriate skills are scarce – in every region around the world, more than half of respondents indicated their organization’s staffing level was not adequate to meet cybersecurity objectives in the OT environment.”
Siemens and the Ponemon Institute recommends that organizations need to keep up with technology, detect when attacks are happening, and have a basic plan in response. They describe cybersecurity in utilities as “an ongoing arms race” and suggest that “leaders within the utility industry need to allocate attention and resources to their cyber defenses commensurate with the increased risk to their businesses.” Beyond simple recommendations however, many utilities are subject to standards. In North America, these are the Critical Infrastructure Protection (CIP) rules as set by the North American Reliability Corporation (NERC), and other regions of the world have similar standards. Failing compliance checks (some of which were updated as recently as last year) can lead to serious consequences, and compliance has historically required large ongoing budgets and updates.
Luckily, Q-Net Security has a device that can accomplish all of this. The Q-Box, a plug-in hardware security unit that renders endpoints totally invisible to outside threats, secures all network traffic that flows through it. Q-Net Security specifically uses hardware instead of software since hardware security (hardsec) ensures that unauthorized access is prevented and intercepted data is completely incomprehensible. The Q-Box never requires updates or patches and it would take a quantum computer billions of years to break Q-Net Security’s encryption.
It’s also simple to implement. Just drop it in front of your existing endpoints, including legacy endpoints, and get back to what you do best: taking care of your customers.