Barry Cashman at Veritas Technologies argues that the utilities sector, under pressure from hackers looking for easy wins, must improve the way cyber security is handled, despite regulatory requirements that are often unhelpful
The Colonial Pipeline attack gave the UK sector a glimpse of the potential consequences of utilities companies not protecting themselves against the threat of ransomware.
The pipeline, which carries 2.5 million barrels of fuel a day, was forced offline in May by hackers demanding a ransom. After paying the £3.1 million ransom, the pipeline was able to resume operations the following week. Although the Justice Department was able to seize millions in cryptocurrency that was paid in ransom to the hackers, the downtime caused by the attack led to huge disruption and petrol shortages in major US states.
The nature of the attack really highlighted one thing. The more that utilities companies, fuel suppliers, healthcare, emergency services, traffic management systems – and other organisations that are essential for the daily functioning of our economy – rely on data, the greater the impact that hackers can have by interfering with it.
The more impact that a hacker can have, the more likely their victims are to pay to get their systems back online. This has driven the explosion in ransomware that we’ve seen over recent months.
Recent research from Veritas found that over half (53%) of UK utilities companies experienced a cyber-attack in the last year. As Colonial Pipeline, and, more recently JBS, found out, eventually one of these attacks will succeed. So how can companies protect themselves from attack, for the sake of their own business as well as the customers they serve?
The security shortcoming
In the public sector, businesses can set aside budgets for technology innovation based on their own risk assessments and success criteria. However, the heavily regulated UK utilities sector must meet the strict innovation rules laid out by the watchdogs before committing to a transformation project. This can mean that utilities firms are forced to prioritise cost-reduction initiatives over digital transformation projects, or limit the budget – and therefore scope – associated with a new IT initiative.
Requirements to demonstrate the results of all types of project, from recruitment to procurement, within regulator-defined timelines can also frustrate IT innovation. This is because these cycles were often set before technology had become so pervasive in business and fail to allow for the lifecycle of a technology project.
A government consultation into how to remove these kinds of barriers was launched in 2018 but the findings have yet to be published.
As a result, the highly regulated nature of the utilities industry means adopting new technologies isn’t easy. In fact, 88% of IT leaders admit the energy sector hasn’t fully embraced cloud technology. Despite this, 48% of the industry’s data is stored or managed in the public cloud, and this figure is expected to rise to 60% in the next five years. Further still, 40% of utilities organisations now consider moving more data and applications to the cloud a top business priority.
Although the utilities sector is typically resilient to unexpected macro changes, current market conditions have forced every industry to drastically accelerate digital transformation plans. The utilities sector is no exception, which perhaps indicates the sudden shift to the cloud.
As a result of this rapid transformation, however, 55% of utilities companies admit that their security measures haven’t kept up with the complexity of their IT infrastructure. They have less visibility and control of their data than ever before. This ‘chink in the armour’ could be their downfall when an attacker strikes.
So, it comes as no surprise that there are lingering concerns around cloud security for two-thirds (67%) of utilities companies. Other apprehensions around cloud adoption include reduced data visibility (59%) or risk of downtime (55%).
These are valid concerns given that two-thirds (64%) of utilities sector companies admit that their organisation’s approach to dealing with cyber-attacks could be improved. Increasing resiliency to ransomware and data governance are among their top three priorities.
Taking responsibility for cloud security
Concerns around the additional burden of managing and securing cloud environments can prevent utilities companies from embracing them. But modern data management and protection platforms can extend their capabilities from the data centre into cloud environments with a single solution.
This means that utilities firms can realise the benefits of transformational projects without putting themselves at additional risk, or shouldering the work associated with managing another protection solution.
But businesses must realise that the onus really is on them, not their cloud provider, when it comes to protecting that data. Alarmingly, 88% of utilities companies leave the responsibility of backing up cloud-based workloads with their cloud provider. They are, therefore, potentially leaving their business-critical data vulnerable and exposed to cyber-criminals.
While most are fully aware of just how essential backups are to their business, many still fail to understand where their cloud provider’s responsibility ends and where theirs begins. Most cloud providers operate Shared Responsibility Models, whereby their customers are responsible for the protection and security of their own data.
Visibility is key
As businesses continue to move their data to the cloud, visibility into what data they have, its value, where it needs to sit, who should access it and how long it needs to be held for, is vital. Yet, only a quarter (24%) of companies have full visibility of the unstructured data they have. If you don’t know what data you have, how can you protect it?
This doesn’t have to be an arduous task. Currently, two-thirds (69%) of utilities companies use multiple vendors to help them protect their data across their entire infrastructure. This can often lead to a melting pot of different tools and solutions which don’t always complement each other and can, ultimately, become more of a hindrance than a help. By using a single data protection solution that manages data across their entire IT estate, utilities firms can gain a full view of their data without the cost or burden of managing multiple solutions.
With this visibility comes the opportunity to build a robust and automated backup plan that includes optimising business continuity and disaster recovery processes to protect and encrypt mission-critical data. Isolating and encrypting backups, holding multiple copies, and frequent testing for vulnerabilities will help businesses build resiliency against attackers.
Unfortunately, organisations that form a fundamental part of a country’s national critical infrastructure will continue being targeted by cyber-criminals. It’s not because they have a traditionally soft security posture or are particularly cash-rich. It’s because cyber-criminals know that if their attacks halt essential services, organisations will have less time to make a decision and will be more willing to pay the ransom. The stakes of a successful attack are much higher, so the chances of a victim paying up are so much greater.
In today’s world, it’s crucial that all businesses are protected against the risks of ransomware. We’re seeing attacks become more sophisticated and the businesses that are falling victim continue to increase in number and reputation.
Given their role in society, utilities companies must be particularly cautious. To protect themselves from the threat of ransomware, they must do three things. They need to have visibility of all the data at their disposal; they need to protect that data with the most up-to-date security software; and they need to back up their data, in case their defences are breached. It’s also good practice to test disaster recovery processes regularly to ensure, when the time comes, data can be restored quickly, easily and with minimal downtime.
As we wait for the next ransomware attack to strike, utilities firms face a race against time to bolster their defences.
Barry Cashman is Regional Vice President UK&I at Veritas Technologies
Main image courtesy of iStockPhoto.com