Scrolling through my news feed this morning, I came across this article in the Financial Times about cyber security in the utility business. Ever since Russia’s invasion of Ukraine, the topic has attracted a fair deal of attention in the mainstream media. It’s not hard to understand why: NATO countries are now embroiled in a military conflict with a nation that has a proven track record of cyber attacks on utilities. However, even in a world without a cyber aggressive Russia, utilities were bound to have to improve their cyber security, and there were always going to be growing pains.
As Bryan Tepper, Hawaii Electric’s CISO and Information Assurance Manager circa 2018, pointed out to me in an interview some years back: “the more advanced the system, the larger the attack surface becomes.” Our grid’s attack surface area has been getting steadily bigger over the past two decades, and it will continue to do so.
Advanced metering, for example, is a central tenet to most utilities’ modernization initiatives. The newest generation of smart meters allow customers to take control of their energy consumption, raise reliability, enhance safety monitoring, and greatly facilitate demand response programs through increased data exchange. However, each unit contains the customer’s confidential information, making them targets for cyber criminals and sinister foreign actors.
There are ways to mitigate the vulnerabilities presented by smart meters of course. Hawaii Electric Company, like many other power companies, protects the meters by emphasizing segmentation and credentials, common themes throughout their cyber-security efforts. First of all, each customer must go through a multi-factor authentication mechanism and provide specific credentials to access their meter. If somehow a hacker finds a way around those obstacles, the meters are kept on a separate system from other components to ensure that such a breach wouldn’t compromise the whole grid. However, these are mitigation efforts, not comprehensive solutions.
As Bryan Tepper predicted in that same interview four years ago, collaboration between different private and public entities have become all the more vital as security concerns have heightened. The Joint Cyber Defense Collaborative (JCDC), which was put together last year by CISA, provides a 24/7 feed of threat information compiled from key industrial sectors and the FBI, DHS, NSA and the Energy and Treasury departments. If a utility isn’t taking advantage of the JCDC’s product, they’re doing themselves a disservice.
Simon Hodgkinson, former chief information security officer at BP and a board adviser at the IT security group Reliance acsn, recommends utilites go beyond mitigation and prep for worst case crises. Here’s how his advice was summed up in that Financial Times article:
“Beyond the “basics” — which include updating and monitoring systems and having the necessary backups in place — energy companies need to undergo “crisis exercising”, he says. “Prepare for the worst and ensure recovery and mitigation plans are robust.”
If there’s any silver lining to the cyber risk posed by Russia at the moment, it’s that utilities and governments are finally modernizing their security systems, as they would have had to do anyway. Also, we can take solace in the fact that Russia’s utility takedowns of late have seemed about as poorly orchestrated as their invasion of Ukraine.