How Energy and Utility Companies Can Optimize and Secure SCADA Networks
Protecting critical infrastructure is only one of many challenges organizations face.
Energy and utility companies rely on supervisory control and data acquisition (SCADA) networks and industrial control system (ICS) technology to provide connections to widely dispersed physical equipment. In recent years, the adoption of digital technologies has delivered valuable new capabilities to these systems, such as predictive maintenance.
But as the number of connections among these systems has increased, so has the attack surface for cybercriminals looking to exploit vulnerabilities. The threat against these systems is ever greater because of their importance as part of the critical infrastructure of the U.S. In this context, energy and utility companies should understand important steps they can take to optimize the operation of the SCADA networks and protect them from cyberattacks.
The percentage of oil and gas companies that cite IT security as a driver of Internet of Things adoption
Source: Microsoft, “IoT Signals” (PDF), October 2020
Security Threats Against SCADA Networks
Some headline-making attacks on industrial control networks show just how important it is for organizations to carefully design, deploy and manage their SCADA systems.
Alabama: In May 2021, a ransomware attack forced one of the nation’s largest fuel pipeline operators to shut down its entire network for several days. The FBI stated that DarkSide, a criminal group that operates out of Russia, was responsible for the attack. Disruptions caused by the ransomware cascaded throughout the U.S. energy sector, affecting 45 percent of the East Coast’s supply of diesel, gasoline and jet fuel and leading to increases of gas prices at the pump for consumers.
Florida: In early 2021, an attacker came perilously close to poisoning the water supply of the 15,000-person city of Oldsmar, Fla. The hacker likely accessed the system by exploiting cybersecurity weaknesses such as poor password hygiene and an outdated operating system. After gaining access to the system, the attacker used remote access software to raise the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million for a few minutes. Luckily, a plant manager noticed the hack as it unfolded and was able to return the system to normal before the tainted water could hit the public supply.
Ukraine: In late 2015, hackers compromised the IT networks of three energy distribution companies, disrupting the supply of electricity to consumers in the first known successful cyberattack on a power grid. The hackers used spear phishing emails with malware to seize control of SCADA assets, remotely switching off substations and disabling or destroying infrastructure such as uninterruptible power supplies, modems, remote terminals and communicators.
Security may be the most pressing SCADA-related challenge, but it is far from the only one. Organizations seeking to deploy and manage SCADA systems often struggle with systems integration, remote locations with poor connectivity, harsh or rugged conditions that are inhospitable to most technology devices, and regulatory compliance. Additionally, organizations must find efficient ways to securely provide data from SCADA networks to other stakeholders across the enterprise.
These challenges highlight the importance of crafting an overall strategy to guide SCADA implementation and management. Project leaders must understand their organization’s environment and business objectives, and also understand exactly how different pieces of an industrial control network will interact. The use of third-party standards — such as the Risk Management Framework and SCADA guidance from the National Institute of Standards and Technology — can inform an organization’s overall security strategy.
For many organizations, an effective SCADA strategy will incorporate services from a trusted third-party partner. Key services that can help a company optimize its SCADA systems include vulnerability management, application monitoring, incident response and human safety assessments.
Vulnerability Management Plan
Assessing network vulnerability starts with an inventory of network assets. After all, it is impossible to conduct a vulnerability assessment if stakeholders aren’t aware of all of the devices, data sources and equipment attached to a network. Many traditional vulnerability management platforms conduct network scans, which are often a poor choice for SCADA networks. Connected equipment can react poorly to a ping or a scan, and in these instances, organizations need to be able to detect what is on their network (and associated vulnerabilities) without a traditional scan of the network. In such cases, passive vulnerability scanners can be a good fit. These passive scans can detect which systems are talking to each other and what firmware versions and code are running — without interfering with SCADA operations.
By consistently monitoring applications, organizations can minimize the traffic running on their networks, limiting it to only the applications that are absolutely necessary to maintain operations. This prevents unwanted applications from being introduced to the network, whether by employees plugging devices into the network or by hackers determined to load malicious software. To best protect their SCADA networks, organizations should take a whitelisting approach, being explicit in what they allow and denying everything else by default. Application monitoring efforts should also track these whitelisted applications to ensure they are behaving as expected.
Incident Response Playbooks
Too often, organizations lack a fully documented, formal response plan that can help guide their actions in the event of a major cybersecurity incident. Even when organizations have such plans in place, they may not have conducted robust testing to ensure their incident response playbooks are fully actionable. It is crucial to conduct activities such as red team and tabletop exercises to keep incident response plans up to date and give IT and business leaders the information they need to modify their plans in response to new threats. An aspect of incident response that is sometimes overlooked is public relations: When energy companies or utilities are breached, they often must explain themselves to a worried public and tense government officials. Organizations should take the time to develop policies that will allow them to publicly respond to incidents in ways that are both honest and helpful.
Human Safety Assessment
No asset is as important as the lives and safety of the people working at a facility (along with the lives and safety of the people served or affected by energy companies and utilities — such as the residents who were put at risk when hackers attacked the water supply in Florida). Organizations should conduct thoughtful, thorough assessments of how attacks on their SCADA networks could risk human safety, and then take appropriate steps to shore up those vulnerabilities.
To learn more about securing and optimizing industrial control systems, read the white paper “The Continuing Evolution of SCADA Networks” from CDW.