Utility Post


3 Steps to Securing Your Utility

3 Steps to Securing Your Utility
October 02
15:56 2017

Gabe Authier - Tripwire


By Gabe Authier, Senior Product Manager, Tripwire


In June 2017, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline due to the Petya cyberattack. Several Ukrainian ministries, banks, metro systems and state-owned enterprises were also affected.


The incident was considered to be the first known successful attack on a power grid, and it highlighted just how vulnerable critical infrastructure is to cybercrime. This is particularly concerning as cyberattacks on critical infrastructure can have real physical impact, whether that’s a shutdown of power or catastrophic machine failures that can impact health and safety.


Connectivity – Don’t let this opportunity be your Achilles heel


We live in a world where connectivity is key. It’s brought conveniences to our personal lives and is being adopted more in the industrial world to boost productivity. Connected machines are helping plants run more efficiently and prevent downtime. When this is implemented, however, security is not always being forethought. Systems which were once isolated are now being connected to bigger networks, exposing environments to new digital security threats operators never had to worry about before.


Industrial Control Systems (ICS), which manage utilities like the supply of water, gas and electricity into peoples’ homes, are a great example of the type of machines now being connected to the web to help improve productivity. Industrial Control Systems are now being put online so that jobs which used to be carried out manually can now be carried out remotely or via automation. However, one of the key concerns with this is the consequences of any successful cyberattacks.


As demonstrated by the Petya attack, these systems are a key target for cybercriminals and security should therefore be a priority. However, given the importance of ICS, one would assume they would be running the most secure technology available today. This is not the case. Much of the equipment is at risk of aging out, requiring replacement or upgrade with very little security.


By adding connectivity, these critical systems are now vulnerable to a host of notorious cyberattacks, like ransomware and DDoS, which could ultimately put the supply of these utilities at risk. For instance, if a cybercriminal gained access to computer systems and cut off the supply of electricity or water into towns and cities, it would not be long before chaos erupted. Not only are these systems a target for cybercriminal gangs, they are also a target for nation state hackers who are specifically looking to target a country and attack its critical national infrastructure.


So, what needs to happen in this new reality? Where do utilities begin to start defending against new threats they didn’t have to think about before?


A solid approach to protection, simple as 1-2-3


To protect ICS against today’s online security threats, it is important that companies take adequate steps to create effective industrial security programs and prioritize organizational risks. It can seem daunting to take on, but a strong multi-layered approach can be broken down into 3 essential steps: 1) Secure the network, 2) Secure endpoints, and 3) Secure the controllers.


  1. Securing the network

Industrial organizations looking to secure their networks should initially start by making sure they have a good network design with well-secured boundaries. Once they complete this first step, enterprises should segment their networks by implementing the ISA IEC 62443 standard, secure all wireless applications, and deploy secure remote access solutions to help with fast troubleshooting and problem-solving.


  1. Securing the endpoints

Operational Technology professionals might feel their organization’s endpoints are protected against digital attacks by perimeter firewalls, proprietary software, specialized protocols, and airgaps, but that just isn’t the case. The moment employees, contractors or supply chain personnel walk in with their laptop or a USB to conduct maintenance, these safeguards are bypassed. It is important to take steps to ensure all endpoints are secure and steps should also be taken to prohibit staff connecting their own personal devices to the network. A key place for organizations to start with this is to carry out an inventory of all endpoints on the network.  Define controls and automate in order to scale to assure that the protection is there.   The versatility of a solution to be able to provide controls in both an IT and OT environment is a strategic play for the organization as a whole.  It is key that you define a security platform that is flexible enough to cover IT in depth as well as work with a sensitive OT environment.


  1. Securing the controllers

In every industrial environment, there are physical systems – mechanical devices such as actuators, calibration devices, valves, and an array of sensors for temperature, pressure, etc. that interact with the physical world. Bad actors have gained access to these mechanical devices in many documented cases, causing those systems to malfunction, but they have no direct way of doing so without gaining access to the control level. Organizations can protect industrial controllers against digital attacks by enhancing their detection capabilities and visibility into ICS changes and threats, implementing security measures for vulnerable controllers, monitoring for suspicious access and change control, and detecting/containing threats in a timely manner.


Cybercrime is without a doubt one of the fastest growing industries around today. It has evolved from teenage script kiddies carrying out attacks motivated by fun or notoriety, into an organized and structured business. With ICS being such a key target for cybercriminals, it is important that steps are taken to adequately protect against digital threats. Doing so requires a multi-step approach that focuses on network security, endpoint security, and industrial controller security.


Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in Product Management and Information Technology, with certifications in Agile practices and Pragmatic Marketing methodology, and is passionate about software development that brings solutions to the marketplace to solve customer problems.

Image from Pixabay

Related Articles


No Comments Yet!

There are no comments at the moment, do you want to add one?

Write a comment

Write a Comment

Time limit is exhausted. Please reload CAPTCHA.

Follow Us!

Stay In Touch With Utility Post

News Categories

Latest Tweets