A few researchers plugged their laptop into a spot behind the dashboard of the Tesla Model S and started the car with a software command at a digital security conference this month. Even scarier: they planted a remote-access trojan while the laptop was plugged in and then cut the engine from the same laptop while someone else was driving later. That very night, Tesla sent out a patch to correct the vulnerability.
A few weeks earlier, two hackers– from their house 10 miles away– cut the transmission of a 2014 Jeep Grand Cherokee as the driver, who volunteered to be the guinea pig, tried to climb a long overpass outside of St. Louis. Chrysler has since recalled 1.4 million vehicles because of the vulnerability.
Now think about that happening with a power plant or substation. As the number of connected devices on utility plants rise, without proper protections, the plant’s vulnerability to a large-scale cyber attack rises as well. Utility companies are a frequent target of hackers; the average number of detected cyber attacks rose six-fold for utility companies this year.
Securing the Industrial Internet of Things creates an obstacle for utility companies’ information security strategy. Although the proliferation and sharing of data translates to more effective operations and climbing profits, making sure that the devices that share that data are secure is a significant upfront investment. Many manufacturers equip IoT devices with the minimum processing power required, which will render encryption and other robust security measures not possible. Disposing of these connected devices also poses a risk, especially for the devices that consumers maintain and own; how do you make sure that devices are taken offline and corresponding data cannot be mined at a later time? If you do discover a security threat, will you be able to send out a patch within 24 hours as Tesla’s team did?
For utility companies especially, because many don’t manufacture their hardware, firmware or software, they are often at the mercy of the manufacturer to not make these shortcuts with connected devices. Even if a utility company has the utmost trust in a vendor, the burden will ultimately always lie on the utility company to ensure assets’ security posture and assess the level of risk.
Taking a vigorous approach to asset procurement and monitoring will still fail to account for the far and away most significant threat to cyber security: humans, and more specifically, humans’ errors. According to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of cyber security incidents involved human error. An employee reads an interesting subject line, opens the email and then clicks a link to download virus-laden material. An employee uses their work computer to access a spyware-infected site during a lunch break. These incidents happen all the time.
To address these concerns, companies need to expand the scope of corporate IT departments. As information from machines out in the field evolves from communicating with one another to communicating with the network, so too must Corporate IT and IT security professionals expand their security domain to include the machines and people out in the field– because the Internet of Things can make it possible for those machines and people to serve as entry points for malicious software.
What Companies Can Do
- Reposition your security investment. Sony, TJ Maxx, Target, Home Depot– the data breaches at these companies show that security isn’t just a cost center to be minimized, but an investment into your long-term reputation and relationship with the customers you serve. In a business case decision, security should rank above interoperability and user convenience.
- Be vigilant. If you are building your own applications, stay vigilant with protection against the latest threats. Make sure you are aware of new threats by checking sites like KrebsOnSecurity and checking out the ZeroDay Weekly blog. If you work with third-party vendors, establish who is responsible for maintaining the software, including issuing a patch when a vulnerability is exposed.
- Train employees. The Global State of Information Security® Survey 2015 revealed that utility company employees have noticed that information security fundamentals of having a formal information security policy and employee training programs are less of a priority. In a different survey from a few years earlier, 71 percent of energy industry respondents said that C-level executives did not understand or failed to appreciate the security initiatives in their organizations.
Utility companies embracing Internet of Things technology need to be aware and proactive about the security risks that come with the advancements. Don’t wait for a major attack to cause an outage or hackers to steal data from customers; it will be too late.