As the Utility Grid Merges with Communications Networks, the Air Gap My Not Protect Critical Assets

It’s deja vu all over again! As the utility grid becomes even more connected, and converges with communications networks to support new applications, including Internet of Things capabilities, new threats and security risks are emerging. The evolution of applications to the cloud is only making the environment more challenging to understand and secure.

 

Mitigating risks requires a combination of digital and physical security, which is making life for information technology (IT) and operational technology (OT) harder and more expensive.

More and more utility companies are looking for ways to simplify compliance even as they “mash up” things like smart meters, smart appliances, and energy management applications for consumers – so they can focus on growth and improvement of their sustainable energy goals, instead of worrying about becoming the next “poster child” for a major security breach.

 

Given our reliance on the “smart grid,” and its growing pervasiveness into all our lives as consumers and business people, security is becoming “job one” – or at least a hurdle that must be overcome in order for new services and revenue to manifest.

 

With more and more sensors, actuators, and controllers connecting to the Internet, resilience and reliability risks are continually increasing. IoT connectivity on the grid, and the connectivity of humans and sensors creates an almost impossible number of entry points for both external and internal attackers, as well as for human errors that don’t just bring a network down, but than take an entire energy grid down.

 

Dealing with these new challenges will require unprecedented collaboration between IT and OT teams within utilities, including independent energy providers and large consortiums like Cal-ISO in California.

 

All of these concerns run in parallel with the demand to meet strict regulatory standards, as citizens and the officials they elected to help protect them, are becoming more vocal about the need to ensure a smart meter doesn’t build a tunnel into a smart home that can be hacked in any number of ways.

 

Utilities in the US are among the most highly regulated industries, but compliance regulations cannot keep up with innovation, including from companies like Samsung and Whirlpool, who are building “endpoints” on “networks” that will ultimately help us manage energy consumption through software and networks.

 

It is a common misconception to think that the famous air gap between IT infrastructure and OT structure will protect a utility’s assets. The case of the StuxNet worm showed more countermeasures are needed. Any privileged access to the OT infrastructure (SCADA or similar) should be recorded indisputably, and any action taken should be verified against policies, automatically.

 

As the utility industry adopts IoT and cloud technologies, security must be a forethought, not an afterthought.

 

Every human being who is credentialed to make policy changes on utility grid networks must be managed.

 

And every machine-to-machine transaction must also be visible, as not all compromises to networks happen due to obvious human intervention.

 

The critical nature of energy grid security is impossible to overstate. To avoid attacks, which can have devastating consequences on people, communities and entire economies, utilities are rolling out comprehensive security that addresses their infrastructure and edge or field devices, the communications network and the cloud. The most enlightened and advanced utilities are engineering end-to-end approaches that integrate IT and OT.

 

Privileged Access Management – and Privileged Task Automation – get out in front of the problem, and offer solutions that are far more economically sound than simply hiring more people. The answer? Empowering people in the IT and OT worlds over a unified platform that enables them to manage all elements that could turn into vulnerability points, and doing so with advanced and proven automation tools that don’t break the bank.

 

Learn more about Krontech’s PAM solutions

Learn more about Krontech’s PTA solutions

 

Author: Orhan Yildirim