Many people understandably focus on the physical security aspect when thinking of infrastructure security. For municipal utilities, that tendency is even greater. Your local city's water supplier, sewer authority, or electrical utility doesn't typically concern themselves with nation-state actors or cybersecurity threats, but failing to do so in an increasingly interconnected world is a critical error. Security strategies for utilities infrastructure must adapt to the emerging threats that are presenting themselves.
Interconnectivity Invites Vulnerability
Undoubtedly, nearly all areas of our lives are more connected to the internet of things than in the past. This presents a unique challenge to security teams tasked with protecting critical infrastructure. Technological advancements allow for smart water and electric meters and remote monitoring of operational technology (OT). Still, the vast majority of utility infrastructure predates this era. These legacy systems and industrial control systems were never designed to be accessible from the internet, which can lead to extreme vulnerability.
Even the United States Department of Energy recognizes the critical threats facing our electrical systems, but it isn't just the electric grid at risk. For example, take the case of Oldstown, Florida, in 2021. A cyber attack resulted in the levels of lye within the city's drinking water system being raised to over 100 times its normal dilution. An alert system operator noticed the remote access and immediately restored the setting to its appropriate levels after the attacker exited the system. However, that should be a chilling story for anyone responsible for utility infrastructure. Redundant systems are in place nearly everywhere, but with more connected systems comes more potential for those redundancies to be compromised or exploited.
It isn't just your systems that you need to be concerned with, either. Municipal utilities frequently rely on vendors for everything from information technology services to maintenance. Security strategies for utilities and infrastructure must consider the frequency of vendor utilization and the level of access that they have to OT and physical infrastructure. Along with some time-saving tips for vendor risk managers, we've compiled valuable additions to your critical infrastructure protection plans that consider cyber and physical security.
Best Infrastructure Security Solutions
The North American Electric Reliability Corporation (NERC) critical infrastructure protection plan sets the minimum allowable standards for cybersecurity protections of the bulk electric system. That, at least, is a starting point when evaluating your cybersecurity posture, but these next steps we've collected will take things even further.
The majority of municipal utilities organizations have considered the physical security of their buildings, installations, and transmission infrastructure either during construction or at least after the fact. Where we've seen that they need to catch up is the implementation of technological advances in that aspect of physical security. That leads us to the first entry on our list of the best security strategies for utilities infrastructure.
Implement Next Generation Physical Security Technology
Video surveillance is a mainstay in the physical security world for a reason. Still, new advancements have allowed next-generation surveillance systems to act as a true force multiplier instead of a poor replacement for security patrols. With high-definition video and massive optical zoom, some vendors have integrated smart tracking and smart detection options that have allowed artificial intelligence and machine learning to make a significant impact as a security solution.
These technologies can learn the everyday activity and noises around a location and highlight things outside the norm. Coupled with a monitoring station and active notification system, this can reduce false alarms and notify personnel of abnormal conditions, whether an intrusion or an infrastructure issue. Entities that need to recognize these advanced capabilities are leaving a lot of options out of the table when it comes to superior security strategies for utilities infrastructure.
Conduct a Thorough Risk Assessment
A true long-term security solution will only be effective with a quality risk assessment. This evaluates the threats facing your infrastructure and your specific utility's risk tolerance. This may seem simple, but this step is necessary before moving to other security strategies.
Upgrade and Integrate OT and IT Systems
The Cybersecurity and Infrastructure Security Agency (CISA) has earmarked substantial grant funds for critical infrastructure protection, specifically cybersecurity. Even without those funds, municipal utilities should look at completely upgrading their operational technology and IT systems. Security must be considered from the beginning instead of being added on as an afterthought. Complete design and implementation of a fully integrated OT and IT network help to eliminate the vulnerabilities that exist when two independent systems are cobbled together and forced to work in conjunction through many created steps.
Use Common Tools and Encrypt Data
This is a twofer. Using standard tools across your systems is necessary. Each network should be equally protected from firewalls to antivirus, and your staff will more easily manage that protection if they're working with the same standard across the board. Secondly, data encryption is a staple in cybersecurity but is even more important when dealing with critical infrastructure protection. SCADA systems and commands within industrial control systems should be encrypted. Still, with the advent of smart meters, that data is at risk in transit if left unencrypted and can provide helpful information to hostile nation-states and other bad actors.
Utilize a Managed Detection and Response Provider
Many water and electrical utilities need information technology resources to establish their own incident response teams for cybersecurity threats, even with the added assistance of resources through the Department of Homeland Security and CISA. Outsourcing to a vendor with that expertise can save a lot of headaches in the long run. Instead of a traditionally managed security services provider that limits itself to monitoring logs, identifying known threats, and preventing access, a managed detection and response provider specializes in response plans. They will quarantine infected systems for forensic review, actively hunt persistent threats, and provide quick responses to ongoing incidents.
At Venture Lynk Risk Management, our motto is trust but verify. We specialize in vendor risk management, but Venture Risk Management provides an array of customizable cybersecurity and risk management services. Whether you're looking for assistance with changing regulatory requirements, preparing for an audit, or trying to establish a cybersecurity program from scratch, our team of experts can provide you with industry expertise you can count on.
