Cybersecurity Threats Facing Energy and Utilities: What You Need to Know

Utility sectors have a unique set of challenges that make securing them a job for the experts. That’s where Fortra steps in. 

We understand the industry regulations specific to water, electricity, and utilities at large. We know the organizational complexity and comprehend the checks and balances that go behind each decision. We understand that mixing old OT with new IT creates a whole range of new problems, and we have solutions that can solve them.  

The State of Utility Cybersecurity Today 

It’s no secret that utilities are under attack from cybercriminals, both domestic and international. Previously a less-exploited vector, utilities are facing increasing pressure as more of their systems go online. Now, industrial control systems are accessible from anywhere, making them both a boon to consumers and a target for bad actors worldwide. 

Utilities Are Targets for Cybercrime 

The energy sector — which underpins each of the other 16 sectors of Critical Infrastructure (CNI) — is understandably a big target for attack. Knock that down and all the other dominoes follow. Recent incidents include attacks on European oil facilities, physical disruptions to the grid, and rising energy-targeted ransomware attacks.  

Tragically, many utilities — energy especially — fall ever more behind as the world speeds up. The more digitization, the more at risk these traditional SCADA systems are (think water mains, gas pipelines, oil refineries, and the lines-and-poles grid). As the International Energy Forum stated on their blog, “[Vulnerability] is growing day by day as the energy sector becomes increasingly digitalized and decentralized, with the deployment of wind, solar, smart meters, EVs, and other distributed infrastructure expanding the already-large surface area for attack.” 

Here’s Why: Utility Cybersecurity Risks 

Part of what makes utility sectors so appealing for threat actors is a perfect trifecta of vulnerability: 

1. Historically underprepared cybersecurity resources  
2. Legacy architecture too costly to replace wholesale
3. An unparalleled reach into millions of lives, creating high criminal ROI 

While these are the big picture “Why’s”, there are plenty of specific areas of vulnerability that make utilities sitting ducks for attackers. Several examples include: 

• Supply chain threats: Speaking of securing the energy trust value chain, the World Economic Forum cited that “during 66% of the incidents, attackers focused on the suppliers’ code to further compromise targeted customers,” and that “an entire value chain can be brought to its knees due to a single organization’s weakness or vulnerability.” 
• Mixing IT and OT: Utilities sectors are rife with inherited architectures that came up before the age of sophisticated cybersecurity. Retrofitting them to the new era typically means combining them — latent vulnerabilities and all — with newer IT services such as smart meters, IoT devices, and a broader internet. While the new IT systems may be safe, the old OT mechanisms can be easy to hack into and criminals use easy entryways in one to pivot to wider access in another. 
• Phishing, tried and true: It’s one of the oldest tricks in the book, and utility operators are not immune. Phishing campaigns are a common way of hacking the energy sector, to say nothing of all the rest. As stated by Fortra’s Agari, “state-sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and other sensitive data.” One successful phishing attempt in 2017 led to the unthinkable: hands-on-access to the power grid by malicious threat actors. 
• Weak or incomplete cybersecurity posture: As far back as 2016, energy industry reports were citing the scarcity of cybersecurity resources among the power sector, noting that, “Without enough cybersecurity staff and/or resources, utilities often lack the capabilities to identify cyber assets and fully comprehend system and network architectures necessary for conducting cybersecurity assessments, monitoring, and upgrades.” While this may seem obvious, it is one of the deepest security problems among energy utilities at large: lack of qualified personnel to handle the influx of cybersecurity challenges barraging new infrastructure and threatening modern control systems.
• General lack of cybersecurity awareness: Part of the fight is changing not only the technology, but the mindset. The world that invented the landline phone and copper pipes typically saw cybersecurity as an “IT thing”. Now that all companies are software companies, all hands are required on deck and there are things in each process — from Finance to HR — that must be cybersecurity safe and data privacy compliant. Needless to say, there is a lot of cultural catching up to do. As reiterated by the International Energy Agency (IEA), “Cyber resilience activity needs to be integrated into the culture of the organization, rather than being considered as a separate, technical issue.” 

These weaknesses put utilities at risk of breach, compromise and attack — both cyber and physical — from both threat actors at home and nation-state actors abroad 

The good news is that progress has been made. While there is still a long way to go, positive steps have been taken to secure the energy sector at large. The U.S. government adopted the National Cybersecurity Strategy this past March, and new research published by DNV indicates the energy industry is increasing its security spending. Hearteningly, nearly 60% of energy professionals surveyed by DNV state that the amount their organization is investing in cybersecurity this year will be greater than it was last.  

What’s at Stake: Utility Cybersecurity Consequences 

While a few minutes with your imagination could come close to the picture, here are some very real possible consequences of cyberattacks in the utilities sector. 

Let’s start small. You have run-of-the-mill service disruptions, like power outages. On the light side, it’s a few hours in the dark. On the flip side, it’s hours of revenue lost for small businesses caught without a generator when their POS goes down, or worse — widespread stoppage if the outage has affected access to the internet.  

Moving up, threats can include ransom payments that grind major multinationals to a halt and sometimes involve the highest levels of federal intervention. The 2022 FBI Internet Crime Report revealed that there were 870 reported incidents of ransomware affecting CNI sectors last year alone.  

In the water sector, the risk could be as deadly as poisoning the water supply. In an industry report, the American Water Works Association warns that “attacks causing contamination, operational malfunction, and service outages could result in illness and casualties, compromise emergency response by firefighters and healthcare workers, and negatively impact transportation systems and food supply.”  

How Cybersecurity for Utilities Can Manage Cyber Risk  

As imminent as the danger may seem, there are always effective ways that utilities can manage cyber risk.  

Utility Cybersecurity Best Practices 

For many utilities, it would not be redundant to start with the basics. Every utility — from local municipal water stations to multi-million-dollar oil refineries — is at a different place on their cybersecurity maturity journey. That lack of unification is part of the problem. Indeed, this is the reason many energy companies have joined the National Council of ISACs, a group of entities “established by critical infrastructure owners and operators to foster information sharing and best practices about physical and cyber threats and mitigation.”  

However, no matter where a utility is in term of cyber preparedness, here are some best practices that can baseline any utility and give them a functional jumping-off point. 

1. Discover your weak spots: Develop a proactive and forward-looking approach and conduct a risk assessment throughout the whole supply chain to identify gaps, vulnerabilities, and compliance violations.
2. Implement at least these key policies: Develop and implement robust cybersecurity policies and procedures that align with your industry’s specific regulations (including policies for access control, password management, incident response, and data backup and recovery).
3. Always vet for new vulnerabilities: Constantly monitor vulnerabilities and cybersecurity risks throughout the whole product lifecycle. Don’t have the time? Our professional services can do the work for you, performing ongoing vulnerability assessments to make sure you’re always ready for whatever threats your utility might face.
4. Secure email and collaboration tools: Implement email security solutions and secure collaboration tools to fight complex phishing attacks.
5. Don’t let your employees drop the ball on utility cybersecurity: Train employees to improve cybersecurity awareness and educate them on how to recognize and respond to cyber threats. 

Additionally, external guidelines like industry compliance regulations serve to provide additional backbone for utility cybersecurity postures.  

Utility Compliance Regulations 

While regional data privacy laws like GDRP and CCPA apply across the board, utilities are also fighting back with industry regulations of their own. 

In the energy sector, The North American Electric Reliability Corporation (NERC), designated by FERC as the nation’s Electric Reliability Organization, develops Critical Infrastructure Protection (CIP) cyber security reliability standards to keep power utilities on the right side of the security line.  

Dealing with the security of the smart grid specifically, FERC and the National Institute of Standards and Technology (NIST) were given responsibilities by the Energy Independence and Security Act of 2007 (EISA) to establish smart gird guidelines and standards. 

The water sector receives memos and guidance from the Environmental Protection Agency (EPA) and falls under the jurisdiction of their associated mandates. 

Fortra Secures Industrial Utilities  

For years, Fortra solutions have been trusted to provide best-in-class cybersecurity for leading national utilities. Our suite of utility and energy critical infrastructure security solutions helps you meet your compliance requirements — be they NIST, CIP, NERC, or others — and keeps you constantly alert, aware, and secure in a changing threat climate.  

• Fortra’s Globalscape engineers designed a custom Enhanced File Transfer (EFT) solution to give one of the UK’s largest water companies the ability to distinguish between internal and external access and share files securely.  
• Fortra’s Tripwire enabled an energy transmission utility to achieve NERC compliance in the midst of complex OT environments containing industrial control systems (ICS).
• Tripwire solutions also allowed a multi-billion-dollar energy company to gain visibility into unauthorized changes made by its outsourcer.  

Fortra’s crafted solutions are built to secure industrial environments and bridge the IT/OT gap. Leveraging our industrial solutions allows you to: 

• Automate compliance with standards such as NERC CIP and IEC 62443
• Harden against anomalous behavior
• Gain visibility into your environment with industrial protocol compatibility