Is cyber attacks on utilities the greatest future threat facing our nation? The next major terrorist attack may not be a bomb going off in a public place. It’s possible that it won’t be a hijacking or a mass shooting. Instead, the next terror attack that is felt around the world could begin with a laptop. Or perhaps, a group of people with multiple laptops. What will they be targeting? If experts are to be believed, they could hit water and utility supplies.
Many people don’t realize that these systems are now almost completely run and managed by computer-based systems. Automated systems determine whether your home has water, electricity, and heat. Let’s dive into this terrifying scenario and discover what it could mean as well as what utility companies should be doing to keep their customers protected.
How Long Can You Survive Without Water And Electricity?
The average life expectancy of someone without water is around three days with some lasting as long as ten. Of course, a hit to your water supply won’t necessarily leave you with nothing to drink immediately. There are still shops and stores, but what about electricity? Now, there’s an issue because you might have no way to cook food or keep it cold. Would you survive?
You perhaps could by going back to basics with lit fires on stoves outside, but it wouldn’t take long before issues started to arise that weren’t so easy to deal with. For instance, imagine if the hack occurred in the middle of winter. That’s a whole different ball game and if you can’t keep warm, then you’re in serious trouble. You could perhaps purchase gas but this would lead to both issues with supplies and rations. Ultimately, the situation could become dire in a matter of months.
It’s situations like this that cause people to become desperate. Crime rises, there’s an increased level of violence, and it will certainly impact the economy. Don’t forget if the lights are out, literally, businesses cannot operate either. It’s not just homes. Every building in the area could be impacted. Some businesses have backup generators but even these don’t last for long and will only continue to run for a matter of days.
The truth is that we’d like to believe that we would handle this type of scenario and be able to endure. But the world has changed and you’d be surprised how dependent you are on electricity. It might even take a day of a city being held to ransom before things become dangerous and grow quickly out of control.
In the short term, people would survive a power outage. However, in the long term things could be far more bleak. Food would run out in just weeks. Perhaps the most frightening aspect of a hack like this is involves nuclear power. Electricity is needed to keep these plants at the right temperature. A failure here is what caused issues at the Fukushima Daiichi complex in 2011.
How Real Is The Threat Of Cyber Attacks On Utilities?
According to experts, the potential for this type of attack is very real and could be part of our future. Why is this?
Well, the critical utility infrastructures you rely on and perhaps take for granted are severely outdated with crucial security flaws. Indeed, one study found that 67% of companies may have experienced at least one breach where there was a significant loss of data.
In addition, 64% of utility companies say they are desperate to take further action to prevent an attack and protect their customers. Despite this, 28% still claim that security is not one of the business’s top five priorities.
It seems that the media and many businesses are far more focused on the theft of customer data rather than a hack that could cripple core utility systems. Furthermore, despite the fact that 47% of breaches are due to employee mistakes, businesses aren’t putting the time or money into providing the training that these individuals need.
Where Is This An Issue?
It’s not a problem that is only impacting developing countries. This is an issue in countries around the world, including the UK, Brazil, and the United States.
All these countries have similar issues with security in their utility infrastructures. In the US there are sixteen critical infrastructure sectors that are maintained by the cybersecurity network. However, this does not mean that utility companies need to provide the same standard of security. The regulation here is far more open and it’s debatable whether these businesses are aware of the danger.
Why Aren’t The Systems Updated To Prevent Cyber Attacks On Utilities?
There are a few reasons why the systems in place have not been provided with the necessary updates. This includes:
- Reliance on old systems
- The need to avoid disruption by taking them offline for replacement.
- An expensive requirement
More security could actually lead to delays in the system and cause issues with power supplies as well as water. As such, attempting a fix in some cases could ironically cause the issue that businesses would be trying to prevent, albeit on a far smaller scale.
It’s also difficult to provide a significant level of cause or reason for businesses to front the cost to upgrade their security standards. We may only see upgrades once a critical breach has occurred.
Who Will Be Responsible?
While it is possible that utility companies could be targeted to seek customer data for theft, it is far more likely and worrying that a utility company will be targeted for political purposes. This could be a terrorist group or it may even be from the government of another country.
There has been a high level of scrutiny into whether Russia dabbled in the US election. The next hack could involve power supplies. Experts believe that various countries are aware of the control systems in place and could tamper with them if there was a benefit in doing so.
What Can Utility Companies Do?
Let’s assume that companies were willing to take the necessary steps to protect their customers from a potentially devastating hack. What steps could they take?
Check The Systems
It is possible for utility companies to check for potential flaws in their systems. Apparently, certain power companies have already run these checks and even fixed software bugs that could have left them vulnerable. There are also reports of businesses hiring hackers to see how easy it is to access their systems. This is called a simulated breach.
Businesses should also make sure that they are looking at where the systems are vulnerable. It’s important to note that this isn’t just about providing the right level of security for an online network. If a hack does occur, the hackers will need to access the buildings as well. This is going to require a wide range of different tools and strategies. A business should work to understand these strategies and make sure that the right layers of protection are in place. A hack on a business can occur relatively quickly and hackers could access a power company in a matter of days.
There are standards and regulations in place that utility companies should be held to. One example of this is the North American Electric Reliability Corporation (NERC). They provide a list of rules on how to make sure that power grids are protected from potential vulnerabilities. In total there are nine standards and forty-five requirements. These cover everything including:
- Protection of cyber assets
- Training for personnel
- Security management
- Disaster recovery
Upgrading Cyber Security
Of course, ultimately the main plan should involve upgrading the cybersecurity that is already in place. It’s true to say that the IoT has lead to many vulnerabilities for power grids that are critical for cities across the country. Hackers can even now utilize tools that make gaining entry through typical defenses a breeze. This isn’t like protecting a standard computer. Firewalls and antivirus software won’t be enough but it is unfortunately what many businesses are relying on.
Companies will need to go further than this with remote terminal units, gateway controllers, and intelligent edge devices. The main point here is to prevent a hack rather than planning on how to recover from it.
Without the right steps in place, utility companies are leaving open a threat which could impact:
- The safety of consumers
- The national and international economy
- The critical public services including healthcare systems
Would The Country Recover?
You might assume or at least hope that if cyber attacks on utilities did occur the country would recover. But don’t be so sure. First, it’s worth noting that this type of hack has actually already happened. Russia hit the Ukraine power grids with a hack back in 2015. During that time US companies discovered that the same malware used for the hack was present on their systems. As such, it may only be a matter of time before this is at the very least attempted.
The US systems are also weaker than Ukraine. Luckily, the country was able to restart systems and get things back up and running in hours. But due to the fact that the systems in the US are automated and more advanced, it could take days or potentially even weeks to return to normal. It would require a complex fix and that’s assuming that the government was even able to access the systems. Theoretically, once they had access the hackers could hold the country hostage for an extended period.
At BitLyft we can help utility companies protect their customers from cyber attacks on utilities and provide the crucial updates to systems necessary. We will work to ensure that you are not the business responsible for a devastating cyber attack on our shores.