Cybersecurity For Public Utilities Solutions I

By John Forrester January 2, 2023

Cybersecurity For Public Utilities Solutions I

In 2021 Jason Miller wrote an article on cybersecurity for municipal utilities stressing that cyber-attacks were increasing every year and greatly impacting a wide range of high-profile targets from governmental agencies to financial and insurance organizations, hospitals and other health facilities, and educational institutions. Of particular concern in many countries, he points out, is the situation on local levels where local governments with municipal utilities are often under-funded with poorly trained staff [1]. Unfortunately, the solutions he offers do not take into account the range of problems facing municipal utilities. Many are not aware, however, of how municipal utilities have become targets for “nation-state actors” and the possibly disastrous effects of an attack.

Since utility companies often provide a range of basic services like electricity, heat, and gas, to their communities, any attack that damages the “critical infrastructure or disrupts these services needs remediation immediately” (Miller). Unfortunately, many in government and in industry remain unconvinced of the potential for an attack on these facilities and the possibly serious consequences for service delivery.

These companies are also responsible for handling large amounts of sensitive data. Unfortunately, this combination provides cyber attackers with the opportunity to launch attacks on both the IT and the OT (operational technology) systems in utilities. Attacks on municipal utilities can cause: 

• Large-scale power outages 
• Contamination of water and related systems 
• Wide information breaches that could affect thousands of customers and employees
• Damage to critical infrastructure and essential networks that could take months to repair 
• Billions of dollars lost each year to ransom demands and critical repairs 

Due to budget cuts and a lack of trained personnel utility companies remain largely unprepared to manage these attacks. Employees in utility companies very often have had little to no training in cybersecurity procedures and ways to prevent attacks. Municipalities are often on strict budgets overseen by elected officials, shareholders, or managers who rarely participate in the daily tasks required of the company. While these officials oversee the allocation of funds, their awareness of the issues at stake is limited. From department managers and elected officials to average end-users, many individuals in the Utility sector are unaware of the need for more attention to cybersecurity.

Since these municipal companies provide important and vital services to the community, they “represent critical infrastructure” and leave their communities open to attempts to extort money or to create “confusion and destruction” (Miller). Miller suggests that since larger targets “like banks, large companies, and government companies, and the military are tightening security to avoid the risks of mass cyberattacks, hackers are seeking easier prey.” While one might take issue whether there is a strong cause and effect in the shift of interest from larger organizations to smaller municipal companies, the lack of strong security and the numerous number of possible attack points makes these companies easy targets for hackers.

[1] Miller, Jason. Cybersecurity for Utilities: Municipal Utilities have become a major target Ransomware, Cyber Attacks, Critical Infrastructure 06/02/2021