Cybersecurity For Public Utilities Solutions III

By John Forrester January 17, 2023

Cybersecurity For Public Utilities Solutions III

Failing to understand the gravity of the potential effects of a power grid attack leaves municipal utility companies unprepared to enact the necessary cybersecurity counter-measures necessary to prevent or, at least, mitigate attacks. As Miller [1], points out, local governments could benefit from the information that would lead to the early prevention of cyberattacks. Unfortunately, the information is often hidden or never revealed. Although municipalities are obliged to report attacks in a timely fashion, they often avoid reporting attacks to maintain credibility. Nor do they necessarily see sharing of information about attacks as useful.

However, the problem has a “wider reach in the utility sector”, as Miller puts it. Failure to report attacks provides a false sense of security governing bodies that could introduce new regulations for such attacks. It also leaves other facilities under-prepared for similar attacks. According to Miller, the bigger picture for municipal utility companies comes down to money that could be spent on cybersecurity solutions. Cyberattacks are downplayed to avoid lost confidence from shareholders and local community. Unfortunately, downplaying the reality of the danger does not mean money is allocated to cybersecurity for utilities and necessary training. 

All municipal utility companies present a wide range of potential vulnerabilities, and everyone using the network needs to be aware of the risks. In many ways human error is the most important factor in successful cyberattacks. Still, in utility companies with end-users at practically every level, Miller points out the threat is largely unknown. Educating employees at every level and elected officials of the potential risks associated with attacks can be a better way to encourage more effective cyber hygiene. 

To create a “comprehensive cybersecurity for utilities solution”, Miller insists that it’s important to understand where “your security gaps lie”. In our experience, this insistence on understanding first your “security gaps” is misleading and distracts from a more important need for a comprehensive insight into how and why an organization was formed.

Certainly, helping all employees be aware of how they are targets for phishing emails or other cyberattack attempts. Phishing attacks are still the number one way for attackers to gain access into a targeted network. These attacks work because they have evolved into sophisticated faked communications that convincingly imitate contact. Providing employees with the knowledge to recognize these threats and other red flags can greatly eliminate issues caused by human errors. 

Many companies are aware of the need for more robust cybersecurity systems but have no idea how to put these measures in place. Utility companies across the country face huge financial issues and the burden of working out how to achieve and maintain compliance is challenging. Municipal utility companies on a strict budget don’t have the funds to hire an in-house cybersecurity team, and many employees don’t have the training to recognize the signs of an attack. 

Miller outlines well the need to have more effective protection for municipal utilities. Understanding where you are and what the existing environment is important, but more attention needs to be paid to the socio-economic aspects of the situation. Too much reliance on technologically based solutions does not necessarily help develop solutions for organizations particularly for those with limited budgets and lack of qualified staff. As we have discovered in the prior CS-AWARE project more attention needs to be paid to understanding who the perspectives of the relevant stakeholders or stakeholder groups and what the rules and policies are that make the environment function. Raising the awareness of employees and management about cyber-security issues, experience shows, is an important step to promoting far reaching changes. In addition, encouraging agencies and businesses to share information about possible attacks and solution to use can help foster the development of effective counter-measures to the ever increasing attacks.

[1] Miller, Jason. Cybersecurity for Utilities: Municipal Utilities have become a major target Ransomware, Cyber Attacks, Critical Infrastructure 06/02/2021