Cyberattacks on the nation’s increasingly interconnected electrical grid seek to weaken populated areas, so how utilities manage cybersecurity is crucial to ensuring energy infrastructure reliability.
Power companies experience thousands of these attacks every day. While most attempts to disrupt industrial control systems fail, they’re becoming more sophisticated as hackers navigate the dark web.
For hackers, many of whom are foreign adversaries, it’s no longer just about deploying ransomware and accessing sensitive data but causing physical damage to the grid. In 2010, for example, hackers executed the now infamous Stuxnet attack, which damaged centrifuge equipment at Iranian nuclear facilities.
6 tips: How utilities manage cybersecurity
- Foster a workplace culture of cybersecurity awareness and vigilance. Power companies should run ongoing safety campaigns to protect both industrial and corporate systems. This involves training employees how to spot potential attacks, such as through email phishing attempts or mysterious flash drives. Additionally, it helps to employ a cybersecurity team to help ensure public safety and customer protection.
- Adopt a top-down cybersecurity approach. In order to protect employees, customers and data, a utility’s cybersecurity culture should be largely driven and supported by leadership. For example, executives could start meetings with a cybersecurity awareness moment.
- Participate in simulated attacks with industry peers and government agencies. For example, the North American Electric Reliability Corporation (NERC) hosts its regular GridEx simulated attack, which allows participants to execute cyber response plans, strengthen connections between organizations and individuals and determine where improvements need to be made. It also helps to stay up to date by attending grid security conferences.
- Account for and prioritize assets to evaluate vulnerabilities. It’s important for power companies to identify, classify and map all information and assets, prioritizing by degree of criticality and connectedness. It can also be helpful to separate networks, when possible. Be sure to document the maturity of controls while incorporating people and processes.
- Practice third-party security. This involves building safeguards into the procurement process in order to mitigate risk in the supply chain. For example, utilities should conduct supplier risk assessments, ask suppliers to explain security processes and do site visits.
- Define security processes and update them as needed. Utilities should consider security issues as they design new systems, networks and applications, not after the fact. This could involve implementing multifactor authentication, appropriate password management and access control. It also helps to establish a cybersecurity policy that addresses formal security rules for employees, contractors and other authorized users. Conduct periodic risk analyses to make sure governmental standards are being met.