Fiber in Utility Networks: it may not be as secure as you may think
- July 31, 2017
- 2244 views
As a critical infrastructure, energy companies are held to a different standard – and when it comes to cybersecurity, the situation is no different. In fact, as cyberattacks become more sophisticated and frequent across virtually every industry, energy utilities continue to find themselves a target. Most recently, we saw Petya, malware that crippled large organizations by holding their PCs and data hostage, hit utilities across Europe, including Chernobyl’s monitoring systems.
Utilities make security a top priority
According to The Global State of Information Security Survey 2017 by PricewaterhouseCoopers (PwC), “Over the past four years, power and utilities businesses have steadily augmented their information security budgets. Security spending notched up 3 percent in 2016 over the year before, and has surged 53 percent since 2012. Despite steady increases in spending, the number of detected incidents has seesawed significantly, rising one year and falling the next.” For instance, “…in 2016, power and utilities companies detected 24 percent fewer security incidents than the year before.”
The good news here is that energy companies are taking cybersecurity seriously, and their efforts are paying off. However, hackers only have to be successful once, whereas a utility company must be right every time – it just takes one misstep. A study by the Federal Energy Regulatory Commission (FERC), as reported in 2014 by The Wall Street Journal, found that if attacks on just 9 of 55,000 US electric-transmission substations “on a scorching summer day” were successful it could “…cause the entire power grid to collapse.”
On top of what can seem like a numbers game, hackers continuously switch up their tactics – meaning those tasked with keeping critical infrastructures safe can never let down their guard. According to the PwC survey noted above, new attack vectors and risks including phishing schemes, business email compromise and ransomware were reported in the energy sector in 2016.
Protecting data at rest isn’t nearly enough
Most organizations protect data at rest, securing servers, databases, routers, and switches by managing user access and credentialing. However, in today’s utility networks, large amounts of critical data are transmitted as high-bandwidth communications beyond the walls of the utility substation or data center.
Unfortunately, in-flight encryption can be the weak link in a network as many mistakenly believe fiber optic networks are inherently immune to breaches. The truth is, a single fiber strand can carry an enormous amount of data, and since fiber optic cables are surprisingly accessible, they are large targets for hackers.
Misconceptions could be leaving data unprotected
The reality is that a mid-range hacker armed with low-cost equipment and software can intercept utility data and remain undetected for days, months, or even years. The ease with which hackers can breach a fiber network has been proven in the lab. Anyone with internet access can easily shop online for a fiber coupling tool, and after watching a few YouTube videos, can quickly learn how to steal sensitive data from a fiber optic cable.
Latency is one more reason utility CIOs have been reluctant to deploy in-flight data encryption. When network latency can mean the difference between containing or propagating a power outage across the grid, their concern is understandable, but fortunately unwarranted.
These concerns likely stem from experience with Layer 2 and Layer 3 encryption. For instance, Layer 3 encryption devices for higher layers such as Internet Protocol (IP) uses a process that ‘tunnels’ the original IP packet to encrypt an IP ‘header,’ which can result in increased overhead, complexity, and network performance speed and processing.
Encryption at the optical layer
Layer 1 encryption has significant advantages over traditional encryption solutions at higher layers of the network. It’s highly secure, meets the strictest latency requirements (measured in a few microseconds or less), is more bandwidth efficient and doesn’t require a separate network appliance.
Without Layer 1 encryption, in-flight data is secure as long as you can keep the hackers out. However, by taking a Layer 1 optical encryption approach it renders all data undecipherable to any hacker that taps into the fiber strand. This ensures that metadata isn’t exposed to attackers and eliminates gaps within an organization’s in-flight data protection strategy.
It’s important to point out that in-flight encryption is not the magic bullet when it comes to securing critical infrastructure. Rather, it’s one part of a holistic security strategy. You need service and database security, at-rest encryption and in-flight encryption for a truly comprehensive IT approach. It only takes once, and with today’s in-flight encryption techniques, organizations can camouflage traffic so it cannot be read or manipulated, and even disguise the fact that there is traffic flowing at all.