How to Protect Utilities from Cybercrime

MM: What are some best practices that utility system operators should know regarding cybersecurity?

Morrisson-Maierle Systems: One of the biggest distinctions for this industry is the use of SCADA/ICS-type systems. Typically, the security of these is not managed the same way a workstation would be and require a different approach that is often missed. An astounding number of breaches involve SCADA/ICS compromise. One study found that in 2019 only 11% of organizations dependent on these systems had not experienced a breach. This should be frightening, especially because of the potential for cyber terrorists to use this maliciously against the public. Patching these types of systems is critical, and assuming that they are secure could be dangerous.

MM: If a utility manager needs a risk assessment of their system, how long and involved is this process and what can they expect?

Morrison-Maierle Systems: It really depends on the specific organization. You can expect an engagement to last at least a week or more, and it will require you to have information and resources prepared for the assessor. They will want to learn everything they can about your risk profile in a short amount of time, so be prepared to field a lot of questions. Ask for a preparation checklist well in advance to keep things running smoothly and reduce the impact on your staff during the assessment.
Here are the biggest factors that affect the intensity (i.e. cost) of a risk assessment:

1. Scope of the assessment
   Note that the size of the organization is not necessarily the same thing. It sometimes can be better to start with assessing one part of a network before moving on so that the workload and cost of remediation are manageable.
2. Current baseline security
   If an organization is starting its cyber security program, then an initial assessment could take much longer as there are a lot of basic controls that need to be established. This is not difficult, but it is time-consuming. A solid baseline opens doors to work on more advanced security implementations, such as zero-trust architecture, which should be the goal of every organization.
3. Level of preparedness for an incident
   A risk assessment also includes reviewing how prepared an organization is to respond to events like ransomware, data breaches, and recovery processes. This is often neglected by organizations, especially putting them into practice by holding annual tabletop exercises to test the plans, but the industry is getting better as insurance companies require evidence of this more and more. Having an incident response plan (IR) and a disaster recovery and business continuity plan (BC/DR) is critical because there is no such thing as perfect cyber security. Additionally, organizations that take the time to develop these well usually have much better security because the leadership is demonstrating an intentional approach. It also develops awareness across the whole organization.

MM: We know that part of good cybersecurity hygiene is providing knowledge sessions for onsite staff. What kind of training do you recommend?

Morrison-Maierle Systems: Cybersecurity starts at the individual level and is independent of rank or role. There are two types of training that, if implemented, would keep staff well informed and reduce overall risk.

1. Recurring cyber awareness training
   Even though this can seem tedious to staff, it keeps security in mind. The topics for this should be simple and cover the most common events your staff will likely face, such as recognizing phishing attempts, social engineering, and reviewing the processes for reporting suspicious activity. You can start to build a culture of security with basic quarterly training that doesn’t need to be more than 15 minutes.
2. Tailored security training
   This is certainly more time intensive and a larger investment if you don’t have in-house expertise but it can have a greater impact. These can involve mock scenarios involving threats that are relevant to your industry or reviewing examples of other breaches in the industry and conversations about how you would have responded. Get your team comfortable thinking about security beyond the surface level, and they will be able to recognize more advanced threats that are beyond what technical security controls can provide. Depending on the organization, we recommend doing this once or twice a year.

MM: Is it possible to incorporate cybersecurity practices at water system plants with other municipal entities? If so, how is that usually handled?

Morrison-Maierle Systems: The best approach to this is to adopt practices from vendor management. Even though you might not be partnering with a traditional vendor, your organization should have a process for assessing the security of other entities. A tactic that hackers use is to compromise smaller companies that don’t have the expertise or budget for cyber security and use that to gain access to bigger fish. Just because you are a cyber security pro does not mean that you aren’t at risk! We see this type of attack frequently, and it can be very difficult to recognize because an attacker can take their time to learn how to mimic your vendor and pose as them using legitimate email addresses and points of contact.
Beyond vetting vendors, the best ways to prevent this are to have tailored training for a vendor-related incident and to adopt a zero-trust architecture. You can help your partners by discussing cyber security with them and collaborating on the security controls between your organizations.

MM: We know cybersecurity is constantly evolving. What are some current trends or threats we should be aware of?

Morrison-Maierle Systems: Hackers are extremely adaptable and can change their tactics and techniques quickly. If they find a locked door, they will try another way—of the hundreds available—to enter your systems. To complicate matters, we now battle not just individual hackers but whole teams of well-funded cyber criminals working in concert. You can even hire these teams yourself on the dark web! An example is Ransomware as a Service (RaaS). This group has call centers and provides many ways to serve your criminal needs.

MM: What are some cybersecurity issues that are increasingly on your radar?

Morrison-Maierle Systems: Cybersecurity is constantly moving and changing, but here are three areas that have our  attention:

1. Increased insider threats
   Disgruntled employees who find ways to damage their employer for financial gain. This is difficult to prevent. On the flip side, these actions are sometimes unintentional; they can be caused by advanced phishing or from the actions of an employee who is just trying to be helpful.
2. Budgetary limitations and expertise
   It can be difficult to recognize the operational value of a cybersecurity program because if it is doing its job, then you won’t hear about it often. This can cause leadership to question the cost even though the goal is to prevent the expense associated with a breach, which often puts companies out of business. It is also difficult to even find security professionals as there is a huge shortage in the field. Current estimations show that more than 40% of cybersecurity positions are unfilled. We are struggling to keep up with current threats, and there is something newly discovered every day.
3. Mass compromise
   We feel that it’s not a matter of if, but when companies and organizations will be compromised simultaneously. For example, Apache Log4J—a critical vulnerability—was discovered a couple of years ago that had a near-universal impact. While this was frightening, the security community knows that preparing for recovery is non-negotiable.

MM: Is there anything else you would like to add about cybersecurity?

Morrison-Maierle Systems: There are many things in the cybersecurity world that keep us curious and eager to explore:

1. Emerging technologies like quantum computing, artificial intelligence, and virtual/augmented reality
   It is hard to predict how these will impact cyber security, but we have theories that hackers and defenders are still exploring the possibilities. We increasingly work with tools that use machine learning (AI), and the capabilities are impressive. There will be behemoth threats resulting from these technologies, but new defenses will develop alongside them.
2. Adoption of cloud technologies
   The flexibility offered through the cloud and the options available for disaster recovery is amazing. Software companies are already on board with this and managing their platforms in the cloud. But don’t let the sticker shock stop you from exploring these options. There are very justifiable reasons for the cost, but we expect 90% of our clients’ infrastructure to be cloud-based within 5-10 years. Currently, it’s less than 10%. We encourage our clients to explore these because the best cybersecurity experts work in the cloud. The control that Amazon, Google, and Microsoft are top-notch and constantly monitored. No individual can match their services.
3. Individual cybersecurity
   People are becoming more aware of the threats they are exposed to and are recognizing that the inconvenience of security controls like MFA and using a password manager are worth the time and effort. Excellent personal cyber security hygiene on a mass scale would do a tremendous amount for the security community in general and really frustrate the bad guys. We spend a lot of time thinking about how to get people interested in their own security. It would bother you if you couldn’t remember if you locked your car. It should really bother you if you haven’t locked down your digital presence.

What Are Your Next Steps?

As we’ve stated before, each utility is unique and has specific demands regarding cybersecurity. Wherever you are on your journey, it’s never too late to start with this information, list your questions, and then reach out to us for assistance or more information. Our door is always open.