- Oil and gas companies and electric utilities tend to have better cybersecurity than other sectors that are also increasingly reliant on the Internet of Things (IoT) and industrial control systems (ICS), Boston-based CyberX said in a report released Tuesday.
- However, the security firm's "2020 Global IoT/ICS Risk Report" concludes utility networks and unmanaged devices are "soft targets for adversaries." Many utilities use outdated operating systems and unencrypted passwords that leave them vulnerable, CyberX wrote.
- The report includes a recommended process for organizations to mitigate cyber risks, including "continuous monitoring" for behavioral anomalies that would impact IoT/ICS systems.
The regulated energy sector has various levels of oversight and critical infrastructure standards, making it somewhat more protected than other industries — but experts warn that is hollow praise when matched up against sophisticated adversaries.
CyberX's research assigned a median security score to industries, recommending its clients attain a minimum of 80 points out of 100. The oil and gas sector averaged 74 points; electric utilities averaged 70 points; the manufacturing sector scored 63; and the pharmaceutical and chemical sectors scored 62 points.
"Energy utilities are ahead of the other industrial sectors in terms of paying attention to security and eliminating vulnerabilities," CyberX VP of industry security Phil Neray told Utility Dive. "Whereas in some other industries, like manufacturing, that's not always the case."
The advantage is due to the widespread security regulations in place, Neray said, though "the regulations don't really go far enough," he added.
The National Institute of Standards and Technology is seeking technology vendors to help develop IoT solutions, potentially including sensors, network monitoring, system monitoring and data acquisition devices that could help secure the distributed grid. And the North American Electric Reliability Corp. maintains Critical Infrastructure Protection standards that aim to protect the bulk electric system.
But, says Neray, the regulations could do more. "For example, there is no regulation that says you should be continuously monitoring your operational control network so you can immediately detect unauthorized or suspicious activities ... in a sense, utility control and security teams are blind."
Continuous network security monitoring with behavioral anomaly detection is "a key security component in sustaining business operations," CyberX noted in its report. Detecting anomalous conditions "can improve the reliability of ICS in addition to providing specific cybersecurity benefits."
CyberX's report is based on data collected from 1,821 production networks, and the firm said real-world data highlights the dangers. More than 70% of sites monitored have outdated operating systems, according to the analysis, and 64% use unencrypted passwords. Two thirds of monitored sites lack automatic antivirus updates.
"Older and unpatched Windows systems are particularly vulnerable because attackers don’t need to exploit a zero-day vulnerability to successfully compromise them — they simply need to exploit known vulnerabilities that are publicly-documented in open source databases," the report said.
"We know there are older versions of Windows running in many utilities," said Neray. The report advocates for improved security practices that include addressing weak credentials and creating a manageable upgrade schedule.
And while companies are adding sensors and embedded devices to control networks, in order to monitor operations and boost efficiency, Neray cautioned these are often "essentially unmanaged." And industrial systems that may have once been "air gapped" from the internet are increasingly tied into corporate IT systems which are internet-connected.
"There are a lot of those systems in control environments," Neray said. "The only way to manage security for those devices is at the network level."
While the U.S. utility sector has so far managed to stave off attacks on the power grid, the threat continues to grow. Cybercriminals and nation state actors are both ramping up efforts, say security experts. The U.S. Government Accountability Office recently concluded ICS and the rise of distributed resources are making the nation's grid more vulnerable to attacks.
"As these smart devices get deployed, they increase the attack surface," said Neray. "Most experts recognize you can't prevent a determined and sophisticated attacker. They will eventually get in."