Cyberattacks on utilities more than doubled from 2020 to 2022. It’s likely the case that the rapid growth of connected assets is outstripping security capabilities. One analyst firm predicts that by 2026, industrial organizations will have more than 15 billion new and legacy assets connected to the cloud, internet, and 5G.
Security and IT leaders at utilities should consider a Zero Trust approach as they confront this threat. Zero Trust is a popular cybersecurity strategy that eradicates implicit trust and continuously validates every stage of a digital interaction. It’s a practical and helpful way to keep networks, assets, and remote operations secure.
Three factors complicating utility cybersecurity
Utility companies rely heavily on operational technology (OT) networks, which today contain many legacy devices that weren’t intended to be connected to the internet and so they weren’t built with security in mind. These are technologies that largely lie behind the scenes and go unpatched and non-updated. This can make securing utilities especially challenging.
Another factor adding to the challenge is the rise of remote operations as it requires granting access to employees, vendors, and partners who may be accessing data, devices, and facilities from anywhere in the world.
Many industrial control systems (ICS) and SCADA assets possess external connections. Some third-party vendors, for instance, remotely support, update, and maintain industrial equipment and systems. They can efficiently and effectively find and fix issues, which reduces downtime so that critical infrastructure can remain in continuous operation. Yet ironically, this activity also creates a security vulnerability.
Creating a Zero Trust environment
The Zero Trust model helps to create a full inventory of connected devices and informs security teams about any anomalous network behavior. This model makes it easier for Utilities to keep their remote workers secure across a broad swathe of functions and responsibilities. This is possible because Zero Trust provides a standardized framework for safeguarding the plethora of devices and sensors within and outside a plant.
Three of the main Zero Trust principles that help utilities are:
- Begin with comprehensive visibility: You can’t protect what you can’t see. Get a comprehensive and accurate view of your OT threat surface for your organization.
- Implement least-privilege access control and segmentation: Partition your OT networks so that they are separated from the internet and corporate IT. Make sure every user has the least access possible to fulfill their job roles.
- Constantly verify trust and inspect security: Make sure your security system can continuously inspect all network traffic and verify the security of all users, OT assets, and applications.
Improving remote operations with Zero Trust
Utilities, which the federal government considers part of the nation’s critical infrastructure, must get these authentication, access, and connectivity issues solved. Attacks against these entities aren’t theoretical. Earlier this year, 22 energy firms were hacked in a coordinated effort against Denmark’s critical infrastructure. The attack was discovered quickly, without impact on customers, but it could have left more than 100,000 people in Denmark without power in a worst-case scenario.
And similar types of attacks will continue to occur, making vigilance and secure remote access critical. With a thorough Zero Trust framework, utilities can better:
- Create secure remote work access – Both in-house and remote workers benefit from a Zero Trust approach, from design engineers to sales staff to business partners and other third parties. Contractors or other third parties could be using unmanaged devices, which makes this approach particularly important.
- Have dependable access and management – Across all cloud applications, OT, and IT, users only have to learn one interface, and network admins only have to manage one system. This approach minimizes potential loss of data and errors by limiting access to only what users need to do their jobs.
- Continuous inspection – A total Zero Trust framework not only controls access, but continuous and advanced security inspection allows legitimate traffic while foiling threats.
Because Zero Trust helps lower the time related to buying, implementing, and operating a distributed remote access environment, this approach also benefits an organization’s bottom line.
Making remote work in utilities secure
As utilities manage an expanded network surface and more remote and hybrid employees, it’s becoming increasingly difficult for security and IT staff to address all the new challenges that these changes bring. The saying “trust, but verify” may have made sense before the age of computers, but not anymore. Today, organizations are better served by a new saying: trust nothing, verify everything.
The critical infrastructure sector, of which utilities are a part, must adopt the Zero Trust approach as ongoing cyberattacks by remote threat actors – or innocent employee and partner mistakes – escalate the threat level. The journey of a thousand miles begins with a single step, and this journey towards Zero Trust can take some time, but it’s one that utilities must take.
To learn more, visit us here.