Core industries and critical infrastructure systems are becoming increasingly connected and digitized, and these developments can certainly be seen, as digitization and connectivity allow companies to make major gains in safety and efficiency. Unfortunately, it’s not all positive: when companies place more trust in connected software and networked devices, the potential for dangerous cyber attacks increases as a result. Critical infrastructure sectors are also facing expanding cybersecurity regulations to address the increasing cyber threats
A hack on a single substation or microgrid no longer means compromise of a singular device––it can mean compromise of the entire infrastructure. A security breach at a single point has the potential to allow a hacker access to the network as a whole, opening the door to catastrophic levels of damage, both physically and economically. In 2016, CrashOverride took down parts of Ukraine’s power grid, resulting in the loss of 80% of Kiev’s total power capabilities for about an hour. This hack was deemed relatively inconsequential, given its short duration and because there were no severe long-term impacts. But the truth is that the malware worked, and as it turns out, this attack was only a test – and a successful one at that.
Earlier this year, four U.S.-based natural-gas pipeline operators were victims of a cyberattack on a shared network. Customer-facing communication was shut down for a full week, and possibly resulted in theft of customer data. Attacks on industrial control systems are inconvenient and financially damaging, but beyond that, hacks on these systems have the potential to cause serious physical harm: spills, explosions, etc. And hackers are only getting smarter.
Difficulty with securing critical infrastructure
Traditional systems in place are unequipped to handle the technological interconnectedness of the systems they aim to secure. Such inability to comply with new and upcoming cybersecurity regulations can mean heavy fines for companies, in addition to the economic and reputational risks already faced by employing insecure systems.
Security systems that industries rely on to protect their most critical assets have lagged behind the industries’ connected development. Many utility industries rely on legacy systems: unmanaged passwords and unprotected control protocols unable to handle the scope and complexity of a network increasing in quantity and diversity of devices daily. And updating legacy systems manually is slow, impractical, and sometimes impossible, considering that a single critical infrastructure system can include tens or hundreds of thousands of distributed assets.
Another significant risk comes in the form of transient devices. Networks, laptops, and phones, are all utilized within industrial control networks to access devices and perform maintenance. These (sometimes personal or contracted) devices are not secured with the diligence necessary to keep systems safe from attack – especially given that periods of maintenance and update are particularly susceptible to security breaches. The age of clipboards is over for industrial security – companies need to recognize that they will not be able to efficiently comply with regulations without upgrading to decentralized, automated methods.
New cybersecurity regulations poses new challenges
Regulatory compliance is an additional spur for companies working to increase security. The Federal Energy Regulatory Commission is putting new regulations in place that tighten requirements for transient assets, distributed networks, and other vulnerable aspects of the utilities industry. This should be great news. However, many operators in critical industries are not equipped to comply with these cybersecurity regulations in a timely, cost-effective way (especially given that companies only have until October 2019 to comply). Compliance for industrial control system (ICS) operators can mean manually rotating passwords for thousands of distributed devices on an ongoing basis. For companies that are still reliant on centralized or manual security systems, this is nearly impossible to do efficiently and accurately. In a recent example, PG&E was fined $2.7 million following the leak of confidential information without password protection, after a hired contractor had accidentally copied data to an external network that didn’t hold the same cybersecurity regulations.
Solution – Automation and decentralization
How do we get companies to stay ahead of the challenges posed by legacy systems, and enable them to comply with the cybersecurity regulations coming their way? The answer lies in an automated, security solution with decentralized enforcement – so security can be enforced in the field, where the distributed machines and applications are deployed. Systems need an automated way to update systems to be compliant with new cybersecurity regulations – regulations which will continue to expand as connectivity increases and develops. Automated compliance solutions will enable businesses to manage and enforce security requirements for the distributed devices, applications and users that comprise industrial networks. Instead of an individual resetting the password on thousands of widespread devices, the solution manages these updates automatically, complying with requirements set in place for password reset over an entire industrial network. Automated systems with a single-dashboard allow for easily replicated security requirements, password rotation, and exposure of non-conformant systems and transient devices that require strong security protection.
Automation and decentralization won’t just help companies comply with these much-needed cybersecurity regulations and avoid a fine, but these methods allow industrial organizations the best solution to protecting assets efficiently and successfully. Developing a unified security solution means saving companies significant time and significant money, and allowing connectivity to be an asset, rather than the cause of a catastrophe.