The Internet of Things is invigorating energy and utility companies, enabling them to take advantage of new business-enhancing and cost-saving technologies and practices. IoT offers, among many other things, the continuous monitoring of widely distributed operations, automated remote infrastructure control and the deployment of efficient smart-grid technologies.
Most importantly, IoT devices generate a continuous stream of Big Data, opening the door to deeper business insights and more informed decision-making.
But these benefits come with some risks. As organizations invest deeply in IoT-enabled monitoring, automation and data-gathering technologies, security risks grow, magnified by the fact that critical infrastructure is an irresistible target for cyberattackers.
“Utilities have a great deal of experience installing and managing different types of controls and monitors,” observes P.K. Agarwal, former CTO for the state of California and currently the regional dean and CEO of Northeastern University-Silicon Valley. “The challenge today, as a new generation of sensors is connected to the internet, is ensuring that the devices and the data they generate are protected from attackers and eavesdroppers.”
Although IoT adoption is just starting to take off, threat reports are already beginning to appear. First out of the gate, discovered in August 2016, was Mirai malware, which turns networked devices into remotely controlled nodes that can be used as part of a botnet in a large-scale distributed denial of service network attack. Devices infected with Mirai continuously scan the internet for IP addresses of IoT devices.
“Energy and utility companies represent high-value targets for external attackers, and their broad geographic diversity presents a challenge with a highly distributed attack surface,” observes John Reno, IoT product and solutions marketing manager for Cisco Systems. “Security risks from insiders and contractors represent an important group to consider in risk assessment as well.”
Utilities Need to Deploy Multiple Layers of Defense
IoT security threats are persistent and rapidly evolving. “Knowing that protecting every asset from every potential threat is not realistic, utilities instead manage their risk by deploying defense-in-depth strategies,” says Joy Ditto, president and CEO of the Utilities Technology Council, an industry trade organization.
Data encryption is one of the most powerful security tools available to IoT adopters. “The risks associated with IoT communications within energy and utility companies drives the requirement for encryption throughout the distributed IoT infrastructure,” Reno says.
Like Reno and most other security experts, Richard Ku, senior vice president with Trend Micro, believes that encryption is most effective when used wherever IoT data travels.
“All communication between endpoints and sensors to the edge and then to the cloud must be encrypted so that the data cannot be compromised and manipulated,” he says.
Authentication technology is also widely used to ensure that only approved users gain access to IoT networks and related systems. “Accessing information in the device, edge server or the cloud must require authentication and authorization with the right privilege to ensure no one can compromise the utility environment,” Ku says.
Next-generation firewalls are another important IoT security tool, offering features such as application awareness, stateful inspection and integrated intrusion protection system technology. “Next-generation firewalls offer security and operations teams important capabilities for segmentation, application visibility and threat management,” Reno says.
Physical security, including site access controls and surveillance technologies, constitute yet another essential part of the IoT security mosaic. Access control technologies, such as password-protected cabinets and gates, help energy and utility companies secure physical network assets against tampering and destruction. Video analytics solutions scrutinize live images in real time to detect unusual activities that could pose a threat to IoT technologies. “Video monitoring provides an important tool in mitigating physical security risks and protecting high-value assets,” Reno says.
In addition to managing cyberthreats and physical security, energy and utility companies must also address the business risks created by unplanned downtime caused by natural disasters, equipment failures and worker safety incidents. Agarwal notes that IoT technology itself can help companies prevent or shorten downtime while also protecting staff from the possibility of serious injury.
“A service team, for example, could get a text message, or some sort of warning automatically initiated by a sensor, indicating that a transformer at a specific location is malfunctioning and at risk of failing,” he says. “After viewing the data, the team would know what types of tools and safety gear would be needed to address the situation before a catastrophic failure occurs.”