In the keynote speech at an Atlantic Council event on cybersecurity for operational technology (OT) in the utilities industry, former US Secretary of Homeland Security Michael Chertoff stressed that "power and energy are at the core of almost everything we do," and described security for this industry as "an urgent matter of national concern." He noted that threats to energy infrastructure aren't theoretical anymore, pointing to the 2015 and 2016 blackouts in Ukraine, as well as the fact that the US Department of Homeland Security recently warned that malware has been detected on some systems used by the US electric grid. While it's not clear what type of malware DHS was referring to, Chertoff noted that malware targeting OT systems is hard to classify until after an attack takes place.
Meanwhile, the attack surface for this sector is quickly expanding with the proliferation of IoT devices. "What this does is it creates many more links in the chain, the weakest of which creates the attack vector through which the whole network can be attacked," Chertoff explained.
Chertoff said some people view cyber defense as a perimeter issue, where they'll be safe if they can use the right tools to build a Maginot line around their network. That approach, Chertoff said, is as effective as the real Maginot line—attackers will simply go around it. Air gapping your environment isn't a foolproof solution either, and not just because organizations often fail to . Chertoff referenced the Stuxnet attack as an example, which involved the insertion of a malware-laden USB stick into an internal system.
ICS-tailored malware isn't the only threat facing the utilities sector. Chertoff emphasized that utility networks "don't operate in a vacuum." These companies rely on transportation, telecommunications, and many other variables to actually operate and provide power. As a result, attacks against these other targets can still disrupt the services provided by utility companies.
He also discussed supply chain problems for hardware and software in the utilities sector, pointing to the current concerns over 5G infrastructure as an example of how we need to think about how systems "interact with the supply chain and the others who provide the basic building blocks going forward."
Chertoff concluded on an encouraging note, saying that the utilities industry is taking the issue seriously and partnering with various government agencies to reduce risk and prepare for events. He said there are still steps that need to be taken, including using knowledge of threats and defenses to determine the necessary levels of investment in security. "You cannot eliminate risk, but you can manage and mitigate the risk, and if you bear that in mind, you can achieve success," Chertoff said.