This special interest group supports professionals who are involved in the critical mission of restoring service, business continuity and effective emergency preparedness in gas and electric utilities. 


You need to be a member of Energy Central to access some features and content. Please or register to continue.


8 Security Essentials for IoT in the Utility Environment

The Internet of Things (IoT) has created many new capabilities for utilities and other industrial facilities. From better process visibility to downtime reduction, improved efficiencies and cost savings on maintenance and field service, there are a lot of upsides to using this new technology. But it also comes with a significant drawback -- increased exposure to cyber threats.

US electric utilities are increasingly in the crosshairs of the world’s hackers, and for this reason they must consider any IoT implementation carefully in order to avoid exposing sensitive networks and machines to undue risk.

Here are eight essential steps every utility should take:

#1 - Conduct a thorough risk assessment

Determine how an IoT system will change the utility’s security posture. This includes asking:

-- Does it simplify or complicate any of the monitoring or reporting processes currently in place?

-- Does it add connectivity (either direct or indirect) to sensitive machinery, terminals or processes that should be kept isolated?

-- Are any machines now remotely accessible?

-- Does it create new types of privileged data and how accessible is that data?

-- Is there a way to audit the IoT device and the device manufacturer for strong security standards?

-- How difficult will it be to update the device’s software, firmware and hardware to account for newly discovered security vulnerabilities, performance problems or other bugs/glitches?

-- Does the operations team still have sufficient manual and override controls in place to thwart a disastrous cyber attack?

#2 - Know your digital footprint

It’s not uncommon for a utility -- or any other large industrial operation -- to have blind spots in its networks. These problems are often multiplied by the addition of IoT devices, which not only add in new connections but may also contain hidden connections and data flows which may be difficult to observe.

According to a 2018 study by the Ponemon Institute, only 9% of organizations say they are fully aware of all the physical objects in their environments that are connected to the Internet. The same study found that only 15% of survey respondents have an inventory of most of their IoT applications and 85% cite the lack of centralized control as a reason why it is so difficult to maintain a full inventory of IoT applications.

In order to protect a utility from malicious actors, it is absolutely critical to know all of the access points on the utility’s network, both Internet and internal network connections, and where data is actually flowing. This will enable the utility to determine what type of data (and how much) is being transmitted across the network, which is essential for determining the level of risk it would face in the event of a data breach. However, it also allows the operator to identify any weak/vulnerable devices or setups on the network, catch and fix any unintentional data exposures, and locate any devices with hidden vendor data routing or call backs (ex: Shanghai Adups Technology Co. Ltd.).

By creating a data flow diagram, the utility can model the process aspects of a system and visualize the structured design, providing insights that are much more difficult to get any other way.

#3 - Establish governance and policy

This topic doesn’t really generate much buzz. However, when you hear from chief information security officers (CISOs), their top issues are communication, reporting to executives and getting people on board with their decisions.

When it comes to the operations floor, the people may be slow to comply or reluctant to accede to IT security mandates. The operations management team might be afraid of losing control -- especially to the IT team and the “carpeted” part of the business.

For this reason, it is critical for the utility to involve both the IT and OT teams in the development of IoT security policies. This should be a team effort, so that the concerns and experiences of both sides will be included in the development of these policies. This will establish stronger and more consistent governance on critical issues like disabling a risky IoT device within the facility if a threat or suspicious activity becomes known.

#4 - Stop ‘things’ from doing malicious things

Recently, half a billion smart devices in use around the world were discovered to be vulnerable to a decade-old attack called DNS (Domain Name System) rebinding. In 2016, the Mirai worm is believed to have infected millions of Internet routers and IP cameras, which it turned into a botnet used to hit prominent websites with denial-of-service attacks. In 2017, the Reaper botnet went a step further with IoT-targeting malware.

IoT devices often rollout with weak security designs and unpatched flaws, leaving them vulnerable to attack. The key to protecting these vulnerable devices is to utilize a DNS protection service (this is a cloud-delivered network security) that will block the IoT devices from being sent to malicious sites, while also protecting them from major malware, botnets and phishing threats.

DNS protection is relatively easy to use since it never actually “touches” the device, and therefore doesn’t require a hardware installation or software to maintain.

#5 - Prepare for an event

Utilities should never plan on preventing all attacks on the network, and this includes any IoT devices. No matter how robust the security framework is, it should be assumed that hackers will eventually find a way to break in.

For this reason, it is critical that utilities devote a considerable portion of their IT security planning and budgeting to provide for post-breach defense, otherwise known as an incident response plan. Utilities are being probed and attacked at all times, and they must assume that a compromise will eventually occur. Resiliency is the ability to bounce back from a successful attack, without losing too much operational downtime or allowing the attacker to spread across the network.

At a minimum, an incident response plan should include: robust network monitoring tools with supporting staff so that security incidents are caught early on; tools and methods in place to contain and neutralize threats as quickly as possible; authority to take an infected device offline if needed.

#6 - Collaborate to align tasks and responsibility with your third parties

According to the first market guide for data center and third-party hardware maintenance, issued recently by Gartner, there are more than 10 million devices under third-party maintenance (TPM). About half (53%) of companies rely on contractual agreements to mitigate third-party IoT risk, but only a quarter or so of respondents say their onboarding due diligence process actively evaluates the IoT risk of third parties.

What we must realize is the success of an organization’s product or service is now fundamentally intertwined with others. My risk is their risk, and their risk is mine—it’s one in the same. As a result, utilities need to streamline vendor management, and they should also be on the path to assign accountability for monitoring the use and deployment of IoT devices, as well as collaborate with appropriate parties to find successful techniques to manage and mitigate third-party IoT device and application risks.

#7 - Segment

While there is some debate about the pros/cons of segmentation within IT networks because of the complexity, the bottom line is that it is critical for connected industrial devices to do so.

By segmenting these devices, a utility will reduce its overall risk exposure since it is limiting the amount of access and data an attacker could obtain through a single breach. “Lateral spread” is a key concern in cybersecurity -- this is when an attacker can spread across a large network from a single point of compromise. Segmentation is a critical defense against this.

It also has other benefits.

In general, segmentation will dramatically reduce the time it takes to detect a breach. Incident identification can go from roughly 100 hours down to a mere eight hours, and we’ve seen a reduction in the ability to fully compromise from 90% of the time to 15% of the time. Segmentation also reduces the cost to maintain, monitor and protect all of the components by a ratio of 3-to-1. These are orders of magnitude in difference. With digital drivers to improve experiences, automate operations or change business models, there is now a need to manage data, systems, devices, people and things from all over the globe. Therefore, solutions must also be software-based to be able to effectively make zones or planes across geographies.

#8 - Deceive hackers

IT and OT teams may be the least familiar with this strategy, but creating IoT “decoys” on the network is another important tool in defending a utility against malicious actors.

A decoy is essentially a trap on the network -- it is a fake IoT device, production asset, workstation or server which diverts the hacker away from the real targets. A decoy will look identical to the IoT devices on the network, thus in this case decoys appear as production IoT servers.

This type of deception is a great, simple technique that has no impact to the actual devices, does not expose the network to any added risk, and it doesn’t require agents or software code loaded on the device to work. By engaging with decoys and not with production devices, the attackers waste time, reveal themselves to the IT security team and can be quickly quarantined and studied for detailed forensics.


These eight steps are not the end-all, be-all of IoT security, but they are a good start. Utilities need to plan carefully for the ways in which IoT devices will expand their attack surface, complicate data flow and add new monitoring demands. It is possible to modernize the operational environment with these devices while not sacrificing security, but it requires a dedicated effort and strong coordination between the IT and OT teams.

Stephen Marchewitz's picture

Thank Stephen for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.


No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »