Smart metres and IoT have the potential to optimise performance and maintenance of the billions of dollars worth of infrastructure in Australian utilities. But each new device creates a potential access point to systems that are not designed with cyber security in mind and, in some cases, are already exposed.
Digital technology threatens to close the “air gap” many have relied on in the past, according to Ashish Thapar, Verizon Managing Principal APJ. Traditionally the proprietary technology utility companies use has been seen as enough of a deterrent to bad actors, who saw little ease or value in attacking infrastructure, Thapar told Which-50. But that view is changing as motivations shift from purely financial and IT opens up.
“Historically, by design, these networks were never built with keeping security in mind,” Thapar told Which-50.
“When you start short circuiting it with IT that’s where the spark happens and that’s where the danger is looming because to drive operational efficiencies you have to come back to IT; you have to leverage cloud, you have to do business intelligence… and the air gap is being broken.”
- Report: Digital Transformation in the Australian Utilities Sector
- Further reading: Cover Story: Utilities Are Being Disrupted. Can The Industry Keep Up?
- The Digital Core: Powering Efficiency And Innovation For The Utilities Industry
- Overcoming Poor CX with the Contactless Buying of Energy
When those initiatives merge new digital technology with legacy systems and infrastructure the air gap is broken. A Which-50 deep dive explored how the utilities industry was responding to digital disruption, finding many organisations are indeed focusing optimising existing assets with digital infrastructure.
The risk, Thapar says, is a lag between adding the new technology without an understanding of the changing cyber security environment.
Motivations have changed too. The amount of attacks coming from organised crime groups and nation states is growing, bringing with them a more advanced treats cape and geopolitical motivations rather than financial.
Utilities organisation now join traditional targets like banks and governments, putting much of Australia’s critical infrastructure at risk, Thapar said.
Alarmingly many of the new targets appear poorly prepared. A report from Trend Micro found many of the world’s water and energy systems remain vulnerable to cyber attacks, particularly small and medium sized organisations.
Using a technique called “geostalking” Trend Micro researchers were able to expose several human machine interfaces (HMIs) which could be remotely accessed without credentials. The authors of Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries argue such exposed assets are increasingly of interest to cyber attackers.
Australia is not immune from the problem, according to Jon Oliver, senior data scientist at Trend Micro.
“We found exposed human machine interfaces (HMIs) all over the world, and Australia was no exception… this exposure can result in stolen sensitive data, access to the corporate network, or even data being held ransom.”
Oliver told Which-50 Australia has unique challenges when it comes to protecting its critical infrastructure. Due to its size and low population density Australia has the world’s longest single electricity grid, running more than 5000 kilometres.
“Having a single piece of infrastructure could be both a blessing and a curse,” Oliver said. “On the one hand there is a single piece of infrastructure to defend which may be defended in a coordinated and uniform way. However, if it is successfully attacked the consequences could be severe – a single attack on a power grid could have a direct effect on an entire industry, due to interdependencies and dependencies that exist between critical infrastructures.”
Compromising one point in utilities infrastructure can potential have a flow on to impact entire industries, according to Oliver.
While digital technology creates new risks, these can be combated provided organisations take precautions.
“As with anything new, there is always a period of understanding and this can take time and experience,” Oliver said. “We are on that journey now with cybersecurity, so as digital technology progresses we will see the same level of precautions made as that of physical security in time.”
There is also a potential for emerging digital technology to play a greater role in the solution. Several major cybersecurity firms have announced the use of AI and machine learning in their products.
These technologies create a “promising future”, according to Verizon’s Thapar.
“It’s moving in the right direction. It will definitely help lower the risk to a certain extent, especially with respect to zero day [attacks], especially with respect to unknown unknowns.”
However, effective cyber security requires a culture to match. According to Thapar it starts at the top and requires buy in from the board and senior management.
“For them to really believe and understand the impact of what can happen if [cyber security] is not taken seriously is important,” he said.
“That approach of it doesn’t happen, it hasn’t happened, so it won’t happen — I think the last point is definitely a very dangerous thing to believe.”