Why Utility Cyberattack Risks Continue to Rise

As headlines continue to reinforce, cyberattackers are increasingly putting utilities’ operational technology (OT) and Internet of Things (IoT) security to the test—some with the intent of disruption at a societal scale. A recently issued warning by U.S. and international cyber authorities cites efforts by pro-Russian hacktivists to exploit vulnerable OT systems at utilities across North America and Europe. The decentralized nature of U.S. utilities means a wide variety of cybersecurity maturity for individual targets. Authorities ask that utilities shore up protections to their internet-connected infrastructure in order to prevent nefarious actors from gaining remote access to vulnerable systems.

While the targets of this particular threat span utilities responsible for water, wastewater, dams, energy and agriculture, utilities across any sector represent opportunities for attackers if their OT and IoT security strategies don’t actively deter those risks. Whether motivated by nation-state-level influences or simply by greed—and armed with the leveraging power of ransomware—today’s attackers are adapting their tactics to hit utilities wherever they’re most vulnerable.

Utilities have made enough strides in strengthening their traditional IT security that attackers have become eager for easier opportunities. Unfortunately, OT and IoT devices are quite difficult to protect using traditional security methods. As utilities have been expanding their reliance on these devices to centralize control over remote infrastructure and monitor conditions in real time, they’ve lagged in introducing the OT- and IoT-specific security measures required to protect this vast connected infrastructure.

Utilities in the Crosshairs
Examples abound of utilities involved in cybersecurity attacks targeting vulnerable OT and IoT devices. In January of this year, pro-Russian hacktivists took credit for manipulating interfaces controlling OT devices at U.S. and Polish water utilities. In November 2023, the pro-Iranian group Cyber Av3ngers attacked a booster station belonging to the Municipal Water Authority of Aliquippa, a Pittsburgh-based water utility serving 15,000 people. The attack disabled devices monitoring water pressure, requiring OT systems to shut down. A spree of similar attacks then struck other U.S. water utilities in the following days.

2022 saw more than 1,600 attacks on power utilities in the U.S. and Canada that impacted power grids, including 60 power outage incidents. In 2021, a ransomware attack froze IoT sensors across oil and gas utility Colonial Pipeline’s vast infrastructure, leading to fuel shortages and panic buying in East Coast states. These incidents go to show that OT/IoT-based attacks on utilities will only continue to become more prevalent, and utilities across sectors should expect to be targeted.

A Unique Security Challenge…
In general, device security depends on real-time visibility, mitigating vulnerabilities as they are inevitably discovered, and recognizing telltale signs of threat behavior within device traffic to halt attacks in their earliest stages. OT and IoT device security is particularly challenging because these devices may crash under the strain of active scans. Therefore, IT and security teams must carefully reserve active scanning techniques like direct communication or SNMP for devices able to handle them, and use passive traffic analysis for less resilient devices.

Many OT devices and their protocols—like SCADA—are also antiquated from a security perspective, offering ample opportunities for today’s attackers to exploit. For this reason, the same authorities that issued the joint alert on pro-Russian hacktivist activities also cite the responsibility of OT device manufacturers to design products ready to meet modern security challenges.

By their nature, utilities tend to be particularly vulnerable because of their dispersed physical infrastructure footprint. Centralized security teams can struggle to maintain visibility into remote substations and other peripheral sites, allowing attacks to advance with less notice or resistance. Thin network connections, such as LTE at peripheral sites, can also contribute to slow attack responses. Attackers that gain entry at remote sites can then wreak havoc at those locations or go on to compromise entire systems.

…Calls for a New Approach
Utilities must embrace a net-new strategy that swaps out traditional notions of perimeter security for a modern OT and IoT approach, one focused on detecting anomalous behavior and securing traffic and data regardless of location. The goal is to achieve centralized visibility into the complete inventory of every OT and IoT device across a utility’s entire infrastructure, backed by discovery and auditing capabilities and supported by strong governance.

Crucially, an effective strategy should also focus on assessing and prioritizing risk, based on the specific devices in use, their known vulnerabilities and their use cases in the network. OT and IoT device vulnerabilities often cannot be exploited by attackers given their actual connectivity and context, or simply don’t align with likely attacker tendencies (and therefore pose little to no risk). Correctly assessing device-based risk this way allows utilities to concentrate resources and maximize protections around the most likely and dangerous threats. This practice also helps utilities to navigate scenarios where existing OT or IoT devices include acknowledged vulnerabilities but are nevertheless mission critical to operations—and therefore challenging to replace. In many cases, an appropriate risk assessment will find that such vulnerabilities don’t actually present a practical threat, offering welcome news and more effective responses to true issues.

Attackers Won’t Wait

Any successful OT and IoT security strategy will feature both robust protections and expedient deployment. Utilities that attach their security strategies to major long-term projects with far-off completion schedules are choosing to remain exposed to today’s hardworking attackers. Utilities that prioritize and fast-track OT and IoT safeguards will get effective risk reduction measures far faster, and present hard targets to attackers, no matter their motivations.

Shankar Somasundaram is the CEO of Asimily, an IoT and IoT risk management company. Previously, Shankar worked on IoT analytics and security solutions at Symantec.