Cyber attacks on water, energy, and other critical utilities are on the rise. With the rising trend of embedding digital solutions across the utility assets and so many moving parts needed to manage utilities effectively, hackers easily find vulnerabilities and take advantage of them.
It is essential to understand that when it comes to cyber, each component in the network and each communication between different parts is a potential window for hackers to exploit. The key to a cyber secure utility begins with understanding where a hacker may intercept communication and how to stop a hacker from getting in the middle of a transmission.
We will focus our attention on the remote assets in the network and the operational side of digital solutions. With hundred miles of pipes or transmission lines managed by a single utility, the complexity of digital solutions for this type of assets is exceptionally challenging. This is no easy task. The following article will describe different parts of a digital system and present general rules dictating what areas need attention.
Industrial Internet of Things
Automation and digitization enable utilities to improve many aspects of their operations, from overcoming operational challenges to providing more services using fewer resources.
This digitization process brings physical assets to the internet and makes them susceptible to cyber-attacks. Dataloggers, programmable logic controllers (PLCs), and Remote Terminal Units (RTUs) typically gather data in the field – anywhere along hundreds of miles of pipes and transmission lines in the utility’s system. Historically, these devices gathered and stored data until a crew member physically ventured to the field, downloaded the data, then transferred and uploaded the data to the central system in the main office for review and analysis.
The Internet of Things, or Industrial Internet of Things (IIoT) in utilities, changed the way data is delivered and used and, with it, the efficiency of critical utilities. Instant transmissions over the internet bring real-time visibility of remote assets. This situational awareness enables utilities to make better decisions and optimize existing resources. But it also creates a new transmission space for monkey hackers to intercept.
Understanding the different parts of a digital utility network is the first necessary step. Critical components in IIoT digital networks serving critical utilities include:
· Data creation and collection devices - Dataloggers, PLCs, RTUs
· Data management tools - Software Platforms
· Specialty Software Applications
· Mobile Apps
All those parts are interconnected, and each plays a different role in the data chain. But there is one thing in common to them all – the need to keep communication between them as secure as possible.
In short – Sensors and dataloggers/PLC/RTU are used to create field data that is transmitted to remote software platforms where data is managed. In addition to the primary communication of data and configuration commands between the software platform and the field hardware, two additional less noticeable parts to keep in mind are Bluetooth communication with mobile devices (used for local field configuration) and interfaces between the software platforms and specialized software application.
Playing Monkey-in-the-Middle: Hacker Standard Operating Procedure
In most cases, what a hacker needs is to take advantage of unprotected transmission to attain his goal of intercepting the entire system. The complexity of modern systems is high, but by making sure some basic practices and precaution measures are enforced, a utility can gain better control over its cyber resilience:
Dynamic IP is the new norm - Nowadays, hacking legacy solutions which have not embedded cybersecurity measures made is relatively easy. In many cases, legacy devices gathering data in the field use a fixed IP address. To gain access, a hacker simply needed to wait until a transmission took place at that address. Even if the data is encrypted, it is transmitted from the exact location on a standard schedule. If the hacker cannot decipher the encryption today, tomorrow, he will be successful. Today’s cyber-secure devices use dynamic IP addresses, forcing a hacker to actively search for each transmission before attempting to break the encryption.
VPN and not APN - A private access point was the height of secure communication – in the ’90s. Today, a private APN is simply a way for cellular providers to know which communications belong to the utility. A VPN, or virtual private network, is necessary for cyber-secure transmissions. When the data-gathering device in the field transmits data or a software platform in the office configures a device in the field, a VPN provides a private, encrypted channel within the public wireless network. To gain access to a VPN, each component must be authorized through an authentication procedure.
Robust identity management - Username and passwords are accepted security practice in any industry. However, this security measure is only effective when passwords are unique and frequently changed. Utilities are notorious for weak password behaviors. When managing dozens of devices, the same username and password are often recycled – resulting in poor cybersecurity protection.
Advanced authentication schemes - The software platform must accept inbound data transmitted by the device in the field in the central office. Authentication is the process through which the software platform identifies the data as legitimate and accepts it. This step is crucial in keeping any manipulated or false data from infiltrating the central network. However, the authentication process is only as robust as the identifiers for the device and platform. Like a fingerprint, identifiers must be unique. Also, like fingers, it is helpful to have more than one; if one identifier is compromised, it can be excluded and a different one used in its place.
The “monkey-in-the-middle” hacker exploits communication vulnerabilities. Each interaction between any two components in a utility’s network has the potential to be hacked. There are different methods and strategies for reducing various risks. Responsible utility directors without advanced degrees in cybersecurity can ensure their networks are secure by adopting the universal gold standard for transmission security, TLS v1.3. When all IIoT vendors reach that level of security, utilities won’t be an easy target for cybercrime anymore.
This article is the second part of our Cybersecurity & Digital Infrastructure blog serie. The first article was initially published in Medium: https://hubs.la/H0YJZMV0