Utility Week

24 | 24TH - 30TH JANUARY 2020 | UTILITY WEEK Operations & Assets Market view T he energy and utilities sector is going through a period of signi cant change. An abundance of new entrants are lev- eraging innovative technology – including IoT sensors, smart meters and integrated cloud services – and in doing so disrupting the sector. Established rms must evolve or they could be le• behind. In the UK alone, eight energy companies have collapsed, and 56 new entrants have entered the market in the past year. As a result, many established suppliers are investing in modern, agile operational approaches and seeking rapidly to incorpo- rate digital technologies into power grids and throughout their supply chains. This approach also requires modern, pro- active cyber-security because many cyber- criminals are targeting these innovations to undermine their bene ts. Target: utilities The energy and utilities sector is particu- larly alluring because it's an integral part of national critical infrastructure. Well- resourced criminal groups seeking nancial gain, nation states looking to cause harm or disruption, and even amateurs looking to test their hacking techniques o• en target it for these reasons. Against this backdrop, it is alarming that 45 per cent of organisations in the energy sector believe they cannot prevent attackers from breaking into their internal networks every time they try, according to CyberArk's recent Advanced Global Threat Landscape study. Many still rely on old "air-gapping" secu- rity techniques to secure their networks. Industrial control systems, for example, are o• en isolated from power grids and other networks using this technique to protect them from attacks. These techniques have proven ine‹ ec- tive in the past, however. In 2010, the Stux- net malware was discovered to have jumped an air gap and compromised nearly a • h of Iran's nuclear centrifuges, causing sig- ni cant setbacks. The Stuxnet malware was later found to have initially been developed by the US and Israel in their attempts to crip- ple the Iranian nuclear programme, but sub- sequently adapted by hackers to meet their needs. Indeed, hacking air-gapped systems is well within the realm of advanced attackers. Critically important Given the critical nature of power grids and utility infrastructure, operational systems in this sector must be able to survive a cyber- incident while sustaining critical functions. Real-time operations are imperative, and any downtime must be avoided at all costs. Hackers looking to cause large-scale dis- ruption o• en aim to bring down the power grid and its associated operating systems by interrupting the high reliability and availa- bility of utilities' infra- structure. They do so in part by gaining access to privileged accounts with access to – and control over – sensitive data or critical systems. When used, these accounts permit entry to assets such as operator work- stations that facilitate automated processes, maintain systems, modify process param- eters, and store historical data and other important operations. Malicious intent When used maliciously, these accounts can be used to gain unauthorised access to IT systems and cause irreparable dam- age. Recently, Russian military o– cials were indicted by the US Department of Jus- tice for hacking-related charges relating to an alleged attempt to steal the privileged access credentials of Westinghouse Electric employees involved in nuclear reactor devel- opment. If it had been successful, this attack would have had disastrous consequences, because sensitive information pertaining to national security could have fallen into the wronghands. According to our research, an overwhelm- ing 82 per cent of energy/utilities organisa- tions agree that they won't be fully protected until the privileged accounts that are part of the control systems are secure. Companies must proactively secure, control and monitor their use to reduce the risk of costly, disrup- tive damage to infrastructure. Energy and utilities organisations seeking to proactively reduce the risk attackers pose to privileged access must rst identify the potential weaknesses and vulnerabilities in their existing approach securing this path- way. That means identifying the credentials, information and secrets associated with their most important privileged accounts, and how they might be at risk. Once this has been done, a "clean up" of these weaknesses and potential vulnerabili- ties can be undertaken, with security and management controls put in place to prevent the escalation and abuse of privilege. However, this can't be a one-o‹ task – organisations must ensure continuous reassessment and improvement in privileged access hygiene to address the constantly changing threat environment. The unique nature of organisations in the energy and utilities sector, which comprises many public and private providers, presents cyber-security decision-makers with chal- lenges that are not faced in most of the rest of the business world. Irreparable damage As cyber-risks have proliferated, govern- ment and the private sector have increased spending on cyber-security operations and maintenance, understanding the irreparable damage such attacks can cause. The widespread implementation of the appropriate cyber-security techniques, how- ever, is still some way o‹ . By implementing privileged access management policies as part of a larger zero trust approach, rms in the utilities and energy sector can mitigate the risk of malware spreading from its initial infection point while maintaining the integ- rity of their crucial operating systems. David Higgins, EMEA technical director, CyberArk How to be cyber-secure Utilities make a tempting target for cyber-criminals. David Higgins explains how suppliers can stay one step ahead of the hackers. How to be cyber-secure Utilities make a tempting target for cyber-criminals. David Higgins explains how suppliers can stay one "The energy and utilities sector is particularly alluring to hackers."

• Cover