As Cyberattacks Surge, Utilities Must Safeguard Their Industrial Control Systems
Christopher Stangl and Steve Chapin
State-sponsored cyberterrorists are capitalizing on utilities’ legacy infrastructure and lax cybersecurity protocols
In 2013, state-sponsored actors from Iran gained remote access to an industrial control system (ICS) overseeing a small dam north of New York City. Their unauthorized access enabled them to retrieve information about the dam's operations, including water levels and temperature. Fortunately, the attack was thwarted—not by a first-rate cyber-defense team or manual controls, but by an immobilized sluice gate that had been disconnected for regular maintenance.
This is just one early example of a nation-state’s motivation to target American ICSs. More recently, the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory detailing Chinese state-sponsored cyber actors attempting to preposition themselves on information technology (IT) networks for disruptive or destructive cyberattacks against US critical infrastructure. While some American companies have taken steps to secure their ICSs by adopting new IT and operational technology (OT) systems, they’ll need to do a lot more to prepare for politically motivated cyberattacks in the future.
Here are the most significant hurdles that utilities will encounter as they shore up their ICS defenses—and measures they should take to address them.
The Biggest Challenge Facing Utilities: An Aging Patchwork of Technology
The hardware and firmware that many utilities deploy today is decades old. While the hardware is often based on simpler 16- and 32-bit processors that lack the virtualization and security features of modern central processing units (CPUs), the larger issue is that the firmware is being deployed in complex environments—with concomitant security threats—for which it was not designed and developed.
To ensure backward compatibility with legacy control system software—and avoid the expense and operational risk of wholesale upgrades—many devices layer older operating systems over newer, more capable ones. These systems have become a patchwork of old and new technologies, in which older security issues not only remain but become more vulnerable through new features. Older devices also tend to have archaic ICS network stacks, such as the Ripple20 vulnerabilities found in the Treck TCP/IP stack in 2020.
In other words, just because this technology is decades-old doesn’t mean hackers aren’t still on the prowl for potential exploits. For instance, when utilities connect legacy devices to the internet, it inherently exposes them to vulnerabilities that were previously inconsequential. Many of these devices were not designed to navigate the security environment we’re in now, nor were they intended to be operated remotely.
How Utilities Can Secure Their Industrial Control Systems
Despite numerous technological hurdles, utilities can still make crucial security improvements and protect their critical assets. Below are a few key steps they should take:
Assess your risk
Utilities can start by identifying all IT/OT assets accessible through the internet. To gain a full understanding of how they are connected (and what data can pass through), executives should craft a robust network map and data-flow diagram.
With that done, they can undertake a comprehensive risk assessment that identifies key vulnerabilities, their likelihood of being exploited, and the impact that such an exploit would have on the organization and outside of it. Cybersecurity breaches of large power and water facilities, for example, can endanger not just a single utility, but national security and public safety.
Additionally, consider an independent risk assessment to evaluate existing policy, procedures, and cybersecurity controls. These assessments provide an external view of business risk, free of organizational bias, and are considered a best practice.
Use cybersecurity frameworks as a roadmap
Utilities should consider adopting one of the dozens of IT/OT cybersecurity frameworks aimed at preventing data breaches, system outages, or other disruptions. The National Institute of Standards and Technology Cybersecurity Framework 2.0, initially developed for use in the US government, is a great place start.
Adaptable across a broad range of industries and addressing key concerns in the private sector, the framework distills cybersecurity down to six easy-to-understand core functions: govern, identify, protect, detect, respond, and recover. CISA has also issued organizational cyber-defense guidance that can help organizations of all sizes reduce the likelihood of a cyberattack.
Meanwhile, the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) operatesthe Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, specifically aimed at working with manufacturers and utilities in the energy sector. CyTRICS performs testing of devices and systems, including vulnerability analyses of hardware, software, and firmware.
Determine necessity for remote monitoring
Remote monitoring—which enables operators to assess and control a facility through automation—can also offer cybersecurity benefits, allowing for the early detection of threat actors and the prevention of attacks on critical infrastructure.
Without proper technical implementation, however, remote monitoring can itself become a vector for cyberattacks. Before introducing this new technology, it is crucial to conduct a risk assessment to determine the probability of a threat actor exploiting a potential vulnerability. This will allow utilities to make strategic choices regarding adoption and implementation.
Build a defense against living-off-the-land attacks
A concerning rise in living-off-the-land (LOTL) attacks—fileless malware cyberattacks that use tools already present in the “environment” (including PowerShell or Windows Management Instrumentation)—has garnered attention from international cybersecurity authorities and the US government. In May 2023, for example, Microsoft uncovered targeted malicious activityaimed at critical infrastructure in the US, which was carried out by Volt Typhoon, a state-sponsored actor from China.
Attacks like these have the potential to undermine utilities’ IT/OT systems, destroy equipment, and bring their operations to a screeching halt. But that’s not all: there is evidence that Volt Typhoon has been able to maintain access to IT environments for five years or more, meaning a utility could already be compromised without knowing it.
To prevent these breaches, organizations need to ensure their security appliances are properly tuned. That could mean implementing multifactor authentication or rolling out network segmentation, which divides computer networks into multiple subnets so that administrators can control the flow of network traffic.
Integrate legacy IT and OT thoughtfully
Timed lighting, HVAC systems, elevators, and call routing—we tend to assume OT devices like these are unlikely to be hacked or disrupted because they’re not directly connected to the internet.
But as IT and OT converge—be it though computers, servers for remote monitoring, or other use cases—these technologies can become accessible via the internet and thus vulnerable to cyberattacks. Bad actors might get access to IT systems through unpatched gateways, firewalls, virtual private networks, and other vectors. From there, they can elevate their privileges, move laterally through the system, and remotely operate specific devices.
When contemplating a business decision to integrate IT and OT, consider frameworks, best practices, and guides to inform a secure process.
Conduct routine cybersecurity maintenance
There’s not a lot of time before a zero-day exploit—a software vulnerability unknown to its developers or owners—reaches a global audience through the internet. Cybercriminals can leverage various tools to identify vulnerable machines that have yet to be patched. As a result, ransomware operators exported $1.1 billion from over 4,000 victim organizations last year alone.
To avoid becoming a target, organizations should prioritize an active and committed patch management program. Should a utility be breached, it’s also important to have procedures and policies in place that can be deployed as swiftly as possible. These may include designating a crisis-response team and/or assigning specific roles to employees during a cyberattack. Finally, a crisis event should not be the first time these response and recovery procedures are cracked open. Incident response plans should be exercised at least annually, with board-level participation.
Act Now to Protect Critical Infrastructure
The exploitation of an internet-connected ICS could lead to catastrophic consequences for US utilities, the public, and the government.
This isn’t something that’s far off into the future. Cyberattacks are happening now, on our own soil. As geopolitical tensions continue to mount around the world, there has never been a better time for utilities to update and reinforce their critical infrastructure.
Christopher Stangl is a managing director in BRG’s Cybersecurity and Investigations practice. A veteran FBI Agent, he spent his law enforcement career investigating cybercrime, shaping national cyber policy, and working directly with private industry through the Federal Bureau of Investigation’s public/private partnerships.
Phone: 240.446.6603
Email: CStangl@thinkbrg.com
Dr. Steve Chapin has twenty-five years of experience working in academia and the US Department of Energy National Labs, publishing more than seventy research papers on computer security, operating systems, and distributed systems. His areas of expertise include software and firmware analysis, power grid security, and formally verified systems. He is an associate director at BRG.
Phone: 315.317.6082
Email: schapin@thinkbrg.com