As IoT Enhances the Energy Sector, Security Issues Grow

Functions that once required manual labor or onsite supervision are being fully automated as the Internet of Things transforms the energy industry. 

An oil refinery may use IoT sensors to alert managers when equipment fails, for instance. The tools might also identify whether key details such as temperature or flow aren’t at target levels. Better yet, such devices can collect and analyze performance data to improve efficiency.

But IoT advancements also pose a major security risk: Energy and utility companies invest 7 percent of their IT budgets deploying and maintaining IoT technology, yet spend only 1 percent securing them, according to a 2018 study by IBM and Oxford Economics. 

The study also found that few companies have the knowledge or resources to take proper precautions, a deficit made evident in December 2015 after Russian hackers disrupted a power grid that left more than 200,000 Ukrainians without power — and again in 2018 when it was announced that Russia had successfully hacked the U.S. power grid. 

“Critical infrastructure such as energy and utility assets are a major target for cyberattackers,” Ed Gawlik of CDW wrote in a post to the company’s Solutions Blog earlier this year. 

Why IoT Security Is Crucial for Utilities

Security experts view IoT attacks to be a major concern. A study by the SANS Institute found that 69 percent of security practitioners consider the threat to industrial control systems to be either high or critical. 

Meanwhile, the number of connected devices in the industrial market is poised to rise to nearly 180 million by 2020 — almost a fourfold increase over the 50 million devices used in 2014.

That leaves systems of all types and sizes vulnerable. 

Consider an oil or chemical refinery that implements IoT technology to automate the opening and closing of hundreds of valves. The facility might now be susceptible to outside sources that could hijack control of those once manual tasks to start a fire or some other incident that results in injuries or environmental damage. 

A major target: supervisory control and data acquisition networks, many of which are old by technology standards and connected to the internet without proper security precautions to defend against an attack. 

MORE FROM BIZTECH: For more on the latest threats and defense tactics, check out our coverage RSA, the biggest cybersecurity event of the year.

How Energy Companies Can Boost IoT Security

It takes a coordinated game plan to prepare for potential trouble. 

First, data encryption is key. “All communication between endpoints and sensors to the edge and then to the cloud must be encrypted so that the data cannot be compromised and manipulated,” Richard Ku, a senior vice president with Trend Micro, told BizTech in 2017

Authentication technology is also widely used to ensure that only approved users gain access to IoT networks and related systems. So, too, are next-generation firewalls, which segment networks of differing security levels and restrict traffic between networks. 

Organizations need to adopt anti-virus software to protect against the latest malware. That software should be installed on every SCADA endpoint and updated at least daily. 

And physical security matters: Password-protected cabinets or gates can keep unwanted parties from having hands-on access to systems. Video analytics solutions can scrutinize live images in real time to detect unusual activities that could pose a threat to IoT technologies. 

Beyond those basic steps, companies or organizations should undergo third-party vulnerability assessments and fix any weak spots accordingly. The National Institute for Standards and Technology’s Cybersecurity Framework helps establish a risk-based approach going forward.