Jacqueline L. Mulhern
Utilities have been vulnerable for years. The only surprise is how long it took hackers to discover its lucrative value.
The Colonial Pipeline cyber attacks on critical infrastructure revealed to the world just how vulnerable we are to hackers. One breach in an energy company’s network caused shortages and raised gas prices throughout the United States.
To those of us developing digital solutions for critical utilities, the cyberattack was not a surprise. We know that utilities are hacked daily. With no reporting requirements, ransomware is typically paid discreetly and the cost is quietly passed down to the consumer.
Utilities providing critical services, such as energy, water, and wastewater, rely on the synergy between operational technology tools (OT) and informational technology software (IT) in order to maintain quality service. Unfortunately, many of these digital tools practically invite hackers in with a complete lack of cybersecurity procedures and practices.
Why?
Infrastructure is in crisis. The triple threat of aging infrastructure, operational stress caused by growing populations or extreme weather, and increased regulatory compliance reporting challenges the daily operation of critical utilities. Pipes, transmission lines, bridges, and roads struggle to supply daily needs. Whatever budget exists is spent on improving services. (See the ASCE 2021 Infrastructure Report Card for more dismal details.)
Digital tools are the most effective and cost-efficient way to boost the operational abilities of crumbling, critical infrastructure. Wherever adopted, digitization brings resilience and efficiency to aging utilities. Unfortunately, cybersecurity gaps between operational technology and informational technology leave utilities vulnerable to cyberattacks.
The OT — IT Disconnect
Today’s digital transformation of critical infrastructure is happening in two, separate realms. Operational technology (OT) tools drastically improve existing automation processes and present new ways to work more efficiently. Informational technology (IT) includes the gamut of software tools applied to the operational system.
The Industrial Internet of Things is a powerful tool in bringing resilience to critical infrastructure. It is also where OT and IT meet. A physical device, hardware, is deployed in the field to create data. The data created by this operational technology is transferred to informational technology, and software platforms, for analysis. When IT tools run algorithms and machine learning to the data provided by OT, actionable insights bring a new level of operational efficiency to the utility.
However, this sophisticated tool runs on two separate technologies. Many times, the technologies are provided by different sources. The cybersecurity measures in each separate technology never fully overlap, leaving holes for hackers to exploit.
What Now?
All a hacker needs for a successful cyber attack is one vulnerability. One opportunity eventually grants the hacker complete access to the system. The complex digital tools used by critical infrastructure have plenty of vulnerabilities for hackers to manipulate.
Cybersecurity must be integrated into the holistic architecture of digital solutions, and constantly updated to remain effective against the newest threats and vulnerabilities.
Utilities will not dedicate scarce resources to cybersecurity unless forced to do so. The public must pressure legislators at every level to institute binding cybersecurity protocols for all infrastructure providing critical services.
The gold standard of TLS v1.3 is a defined and actionable set of cybersecurity protocols. No solution used by critical public utilities that involve data communication should operate without it.
The Colonial Pipeline attack brought cyberattacks on critical infrastructure into the spotlight. Now is the time to demand a responsible approach to cybersecurity. Any network is only as secure as its weakest asset.
Cyberattacks could happen to anyone. They will happen to the least protected. Our infrastructure is too important to be the least protected.
Learn more about cybersecurity and continue to the Second Part of this article.