The Slovakian cybersecurity firm, ESET, in collaboration with Ukraine’s CERT-UA, recently analyzed and reported a new variant of malware, known as Industroyer2. The malware was found attacking high-voltage electrical substations in Ukraine. The original version of the malware, also known as “Crash Override,” was first used in 2016 by the Russia-based Sandworm APT group to compromise Ukrainian power grids, causing a power outage in the capital city, Kyiv.
In addition to deploying Industroyer2, attackers also unleashed several wipers and destructive malware for systems running Linux and Solaris with an intent to render the machines inoperable and prevent energy operators from retrieving the industrial control system (ICS) consoles.
Reports suggest that the new variant has been developed specifically to manipulate and disrupt SCADA/ICS systems. According to IronNet, the new variant “directly interacts with electrical utility equipment to send commands to the substation devices that control the flow of power.”
Attacks on power and utility companies are an increasingly worrying threat. From the Stuxnet malware attack on the Iranian nuclear facilities in 2010 to the attack on the Ukrainian power grid in 2016 to the Colonial Pipeline attack in 2021—cyberattacks have been on the rise, growing both in frequency and sophistication.
When Power and Utilities Are Attacked, The Effects Are Catastrophic
The Colonial Pipeline attack clearly illustrated how debilitating the effects are when a critical infrastructure takes a hit. It is not just about data loss but massive infrastructure failures, critical operations getting disrupted, essential services being cut off, panic and chaos spreading like wildfire, the nation’s economy plummeting, and, more importantly, people’s lives being endangered.
The discovery of the Apache Log4J vulnerability is another example that highlighted the effects of a security breach in critical infrastructure organizations. The Log4J application is widely used in operational technology products to log security and performance information. The remote execution vulnerability meant an attacker could download and execute a malicious payload and take over affected machines. In a power grid setting, the severity of such a breach could be unfathomable.
In response to this critical discovery, The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging organizations to audit all internet-facing applications, websites, and systems for Log4j vulnerabilities or remove them to mitigate the threat.
Digitalization and Lax Security Measures Make Power and Utilities a Ripe Target
In an effort to drive efficiency, profitability, and sustainability, the power and utility sector is undergoing a radical transformation. There is an extensive convergence of OT (Operational Technology) and IT (Information Technology) environments, integration of renewable energy with power grids, and rapid adoption of Industrial Internet of Things (IIoT), such as smart meters, sensors, wireless modules, and monitoring systems. While these “smart” initiatives are necessary to meet changing demands, they are also giving rise to serious security risks.
The global energy crisis and the big push for net-zero emissions are driving a rapid integration of renewable energy sources and power grids. The integration involves modernizing the power grid with a host of new technologies for energy storage, transmission, forecasting etc. This has resulted in a steep increase in grid communications, making the assets vulnerable.
Interconnecting the once air-gapped OT systems with IT has dramatically expanded the attack surface. As OT systems were primarily built to deliver on “high availability,” security has always been an afterthought. These legacy systems are rarely patched, maintained, or replaced—making them highly accessible and vulnerable to attacks.
Another growing risk factor is the manipulation of IoT-based devices. Because of their distributed location, insecure communication channels, and outdated software, these connected devices have become soft targets for attackers.
The supply chain is another area that poses an enormous risk for power and utility companies. Threat actors are becoming increasingly adept at exploiting the trust placed in third-party vendors and partners. The lack of strong authentication and access controls has led attackers to use less secure vendor networks as bridges to break into bigger, more secure networks.
Besides cyber risks, regulatory compliance is another area of challenge for power and utility companies. Regulatory bodies, such as the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC), and Biden’s recent executive order on cybersecurity continue to mount pressure on the sector to tighten security, regulate access, and improve resilience, increasing the burden on security teams.
PKI Evolves to Meet Digital Security Needs
Public key infrastructure (PKI) is rising to the security challenges of power and utility companies by offering two critical security solutions—authentication and encryption.
Providing secure access to network assets is pivotal to securing interconnected IT-OT environments. Digital certificates help meet this requirement by embedding identities into machines and authenticating them every time a machine requests network access. Verifying the identities of machines helps ensure only authorized machines are provided access, keeping the high-risk OT environments and the supply chain always protected.
To proactively defend against increasing access and credential-based attacks, security experts recommend enforcing multi-factor authentication (MFA). Typically, organizations implement MFA using secret PINs and one-time passwords that come with the inherent drawbacks of getting stolen or being shared, which defies the very purpose of using them. PKI fills this gap by offering secure passwordless authentication through digital certificates. Here, the private key, akin to a password, is never shared, making it more secure than passwords.
As digital certificates are installed on systems, workloads, and applications, organizations can get deep visibility of all IT and OT assets and efficiently control and secure them, wherever they are. This ability to enforce location-independent security in cloud-based architectures is one of the biggest advantages of PKI.
When it comes to IoT devices, PKI helps shift from device-focused security to identity-focused security. Digital certificates can be provisioned to IoT devices right off the assembly line that helps provide conditional access and protect them from tampering before installing them at the grid operator.
In addition, PKI helps implement software and application security for IoT devices via code signing. It’s a practice that ensures only the correct version of software/firmware is installed on IoT devices to prevent the risk of hacking. Code signing is also an excellent means of authenticating third-party software and ensuring it is safe to use. In validating the origin and integrity of the code, organizations can effectively defend against supply chain attacks.
Given the highly sensitive nature of data that power and utility companies deal with, data integrity is non-negotiable. Digital certificates also meet this requirement by providing end-to-end data encryption, both at rest and in transit. This helps ensure all transactions and communications between IT and OT systems, IoT devices, and cloud applications remain insulated from attacks. Further, securing applications and workloads with a certificate issued by a trusted certificate authority (CA) also helps significantly improve compliance.
Securing the Future of Energy with Proactive Steps
Cybersecurity risks are a growing concern in every industry, and the power and utility sector is certainly not an exception. So, the best way to secure the critical infrastructures while providing reliable and affordable services is to take a defense-in-depth approach and adopt agile security approaches.
With identity at its heart, PKI is a great fit for hyper-connected, “smart” environments. With its ever-evolving nature, PKI has come a long way from being simply about installing a TLS certificate to addressing multiple business use cases, such as DevOps and IoT. Solutions such as PKIaaS immensely simplify the process of getting started with and using PKI, making it easy for organizations to make the most of it.