Securing the Industrial Internet of Things in the Utilities Sector

August 21, 2019
| |
4 min read

The French writer Jean-Baptiste Alphonse Karr once said, “Plus ça change, plus c’est la même chose,” which translates to, “The more things change, the more they stay the same.”

What does this have to do with the industrial internet of things (IIoT)? Clean water and reliable power are two elements of modern civilization that are easy to take for granted. Previous industrial revolutions have transformed what were once luxuries into everyday amenities for billions. Add to that the ubiquity of the internet, and it’s easy to argue that we’re living in the best period of human history.

But connecting the amenities of the second industrial revolution — clean water and reliable power — with the limitless capabilities of the fourth industrial revolution — the internet of things (IoT) and its close cousin the IIoT — has brought us one step closer to things staying the same. How? Because the more connected our amenities become, the more threats there are to their ongoing reliability.

A report from IBM’s Institute for Business Value (IBV) titled “Mind the Utilities Cybersecurity Gap” found that many executives working in the water and power industries are similarly worried about the risks that the IIoT poses to the resilience of their respective services.

The Pros and Cons of the IIoT in the Utilities Sector

The benefits of the industrial internet of things are hard to pass up. What’s not to like about the availability of cheap and connected alarms, sensors and readers (including meter readers), and other real-time monitoring equipment?

At the same time, however, all of these IIoT devices spew huge amounts of data that naturally flow across both corporate and unprotected networks. So it should come as no surprise that 24 percent of respondents to the IBV’s study listed devices and sensors as the most vulnerable parts of their IIoT deployments.

Yes, the IIoT has clear benefits, including the ability to collect real-time data to monitor the health of critical systems and improved efficiency and safety. But, as noted in the report, IIoT environments also have the potential to expose high-value assets and services to a larger attack surface. A poorly secured IIoT environment may not only allow for peeking into sensor readings, but could expose actual industrial control systems (ICSs), including those that ensure the availability and quality of the utilities we take for granted.

What Are Executives Worried About?

When asked about what they considered to be their top five IIoT cybersecurity risks, executives first listed the exposure of sensitive data — which, incidentally, might not have much of an impact on the quality/availability of water and power — followed by production disruptions resulting from sabotage. Nearly two-thirds of executives in both the power and water sectors are concerned about the potential the IIoT poses for disruption to their services.

The third risk identified is reputational damage, about which, again, almost two-thirds of executives from both sectors are concerned. The fourth risk is fines and regulatory violations, followed by damage to equipment due to manipulation of control systems.

When asked to rate the greatest barriers to improving the security of IIoT environments, executives pointed to several factors, including:

What does the IBV report recommend for utilities? First, create a solid foundation rooted in good cyber hygiene by integrating the IIoT into the enterprise risk management process and practicing your readiness to deal with IIoT-based incidents. You can then further enhance ICS security by leveraging the benefits that artificial intelligence (AI) can offer. We’ll explore both paths in more detail below.

Integrate IIoT Risks into the Enterprise Risk Management Process

As the report makes clear, IIoT risks should be managed at an enterprise level. Doing so requires formally establishing an IIoT security program, incorporating the IIoT into the life cycle of existing governance and security frameworks (e.g., NIST RMF and NIST IoT Core Security Baselines), and forming cross-functional teams that cover IT, OT, the IoT and the IIoT.

Organizations will need to identify critical data and assets, but also figure out the vulnerabilities present in newly acquired IIoT systems prior to deployment. This also requires cross-functional teams that bring in talent from operations, engineering, security and even IIoT vendors themselves.

Develop IIoT Incident Response Capabilities

Most organizations today already have incident response plans, but silos between IT, OT and the IIoT mean that incident response plans might not exist or be up to date when it comes to IIoT environments. One reason is that IIoT environments can change much more rapidly than OT (changes measured in decades) or IT (changes measured in years).

One of the best ways to evaluate the effectiveness and timeliness of an incident response plan is to put it to the test with cyber breach simulations or, for more realistic insights, via penetration testing and red team exercises.

Leverage AI and Automation to Focus on Signals, Not Noise

Utilities, such as power and water, are stuck between a rock and a hard place. They have a complex mixture of legacy OT technology built with, at best, security standards from decades ago, yet are also embracing IIoT devices and sensors at a breakneck pace. This leaves IT to figure out how to replace legacy systems with newer options that have ICS security baked in while also trying to keep up with the increased attack surface and network traffic generated by IIoT devices. Based on the report’s findings, both water and power companies have lots of room for improvement when it comes to leveraging more advanced tools for threat detection and response.

Moving forward means improving the organization’s ability to find unusual patterns of behavior that could signal a potential incident, as well as its ability to deal with actual incidents and prevent cascading failures. To that end, the IBV report recommends investing in AI and automation for monitoring and response.

Specifically, the report pointed to using machine learning to build models and track normal behaviors, to be supplemented by improved threat intelligence capabilities. Right of boom, utilities should leverage advanced monitoring and analytics to help incident responders hone in on trouble areas quickly and correctly, thereby reducing the time window for an attacker to move laterally or burrow in deeper.

While the internet of things and industrial internet of things are taking over our homes and businesses, one thing remains constant: our need for clean water and reliable power. Going forward, achieving cyber resilience will increasingly depend on utilities improving their cybersecurity hygiene and ability to deal with a variety of cyber incidents.

Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...
read more