A Modern Threat Utilities require state-of-the-art surveillance tools
By Michael Shipley
Whether it is water, electricity, gas, oil or even telecommunications and transpor- tation hubs, critical infrastructure facili- ties present unique challenges for security professionals. Threats against city utilities in North America have never been as diverse or real as they are today and ensuring the security for these vital backbones of a country’s infrastructure is important.
CYBER SECURITY THREATS
Beyond physical attacks, combating cyber security threats and natural disasters also present an ongoing challenge for utility providers. Multi-billion-dollar economic losses are no longer the hypothetical scenario of an attack, but are relevant for short-term regional outages. Bad actors know that such facilities can give them maximum attention and as such, consider them prime targets.
The recent cyber-attack that forced a temporary shutdown of the Colonial pipeline, one of the largest in the United States, serves as a stark reminder of how damaging and ever-present such threats can be. Likewise, an earlier cyber-attack in Florida that sought to compromise a water treatment plant saw hack- ers exploit remote access software and compromise credentials. This might have been a classic case of human error with a single shared password, but it is up to security professionals to protect people from themselves regarding enforcement best practices and using techniques such as multi-factor authentication.
With technological development and the increasing popu- larity of ‘smart connected infrastructure’ comes the inclusion of networks that connect grids, pipelines and other critical in- frastructure with multiple operators and databases, maximizing the potential number of entry points vulnerable to cyber-attacks. Utilities are at higher risk, since large numbers of attempted at- tacks occur every day.
STANDARDS AND COMPLIANCE
Because utilities are part of the critical infrastructure mix, they have strict regulations that must adhered to regarding security, with strict penalties and fines for any organization found out of compliance. As an example, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) are both involved in overseeing new standards that specifically address the physical and cyber security of all control centers, stations and substations throughout the country.
This can include compliance with specific standards such as the NERC CIP (Critical Infrastructure Protection) for electri- cal utilities. These standards specify how electrical utilities are to monitor access points, protect cyber-security assets and monitor the perimeter.
In particular, NERC’s CIP 014-2 and CIP Version 7 standards have the industry taking a closer look at security operations at fa- cilities near and far. The CIP 014-2 standard calls all responsible electricity entities to identify their critical facilities, evaluate the
“Bad actors know that such facilities can give them maximum attention and as such consider them prime targets.”
security risks and vulnerabilities to those identified facilities, and implement measures to mitigate the risk of physical attack.
While CIP Version 7 is more oriented towards cyber-attacks, risk mitigation often involves physically securing substations and stations where Supervisory Control and Data Acquisition Sys- tems (SCADA), and relevant servers and network switches are housed. Under these NERC standards, electrical service provid- ers are required to meet phased mandates, each with penalty-sub- jected deadlines. Other utilities may have similar regulations with which to comply.
CYBERSECURITY
Any poorly protected IoT device represents an opportunity for a hacker to exploit the device and potentially gain access to an organization’s internal protected network. Since IP-based cameras, the VMS, NVRs and supporting infrastructure all communicate over the network, it is critical that the security system not be an entry point for cyber-attacks.
It is vital to have confidence in the security of each device on the network. With cameras, it is important to know as much as possible about the manufacturing process and the supply chain regarding the sourcing of internal components. What chipset is used, where was it made and who made it? Is it an OEM or white label product versus an actual manufacturer-developed and de- signed product?
There are important factors that can have an impact the un- derlying security of a device. IT professionals can do their best to secure the network, but, if they don’t know what’s going on inside the device, those efforts could be wasted. Utilities should ensure that cameras are NDAA (National Defense Authorization
30
NOVEMBER/DECEMBER 2021 | SECURITY TODAY
UTILITY SECURITY
LEDOMSTOCK/Shutterstock.com