1660342916051 Jimrichberg2

Hardening the cybersecurity of today’s utilities

June 29, 2022
New requirements demand reporting significant cyber-incidents to the feds within 72 hours.

Fortinet's Jim Richberg

It’s no secret that critical infrastructure systems are at increased risk for cybersecurity attacks. At the federal level, President Biden has made it a priority for his administration and the Cybersecurity & Infrastructure Security Agency has issued repeat warnings that “every organization in the United States is at risk from cyber-threats that can disrupt essential services and potentially result in impacts to public safety.”  

Critical infrastructure entities will get priority support—but new reporting requirements will come as well, including the requirement to report significant cyber-incidents to the feds within 72 hours.

To understand how one area of critical infrastructure—public utilities—is evolving in terms of cybersecurity, the Utilities Technology Council and Fortinet recently examined utilities’ current approaches to protecting their operational-technology environments.

How utilities are approaching cybersecurity 

There’s some encouraging news: cybersecurity, at last, has a permanent seat at the planning table when it comes to critical business and technology goals for utilities. This is important since the two-way flow-data traffic between IT and OT networks is also a permanent feature. While many best practices for utility operational security have been implemented widely, significant vulnerabilities remain.

Among the survey findings: most utilities have adopted basic cybersecurity capabilities, such as firewalls, security-incident response, malicious-input detection and intrusion detection. And many utilities are planning to roll out a zero-trust access solution soon. Utilities typically impose restrictions on what traffic from enterprise IT networks is allowed into an OT network. Most utilities, in fact, use a combination of approaches to separate OT and IT systems, such as DMZs and firewall rules to serve as “isolators.” A DMZ network is a perimeter network that protects and adds an extra layer of security to an organization’s internal local-area network from untrusted traffic. Both these and firewalls are used by more than 80% of the survey’s respondents.

Identifying the gaps and how to address them

Analyzing the survey data reveals these strategies can help utilities ensure their cybersecurity programs are ready to tackle the demands of increasingly complex operating environments. 

·      Organizations should recognize that cybersecurity solutions are not one-size-fits-all. Each utility's security posture should be based on its individual risk-tolerance and resources.

·      Managers should spend time defining their organization’s cybersecurity requirements with internal stakeholders and communicating these to their security-technology providers.

·      Utilities should outsource annual firewall audits and penetration testing to a third party, and they should use auditors or testers who have experience in OT environments.

·      As utilities upgrade their security technology, they should invest in mesh cybersecurity architectures to leverage solutions that are integrated, rather than continue to buy point solutions limited to addressing single problems in isolation.

Your utility security plan

As IT and OT continue to converge, and core utility systems become more connected and more reachable via the internet, a new world of risk emerges. Cybersecurity needed to protect utilities in this evolving landscape is increasingly complex, necessitating a careful plan that involves the considerations and best practices noted above.

Jim Richberg is Fortinet’s field CISO for the public sector