The proliferation of Internet of Things devices in the energy sector has broadened the threat landscape, requiring greater attention to cybersecurity.
The energy sector’s adoption of Internet of Things tools has continued to increase over the past few years, and it shows no signs of slowing down. Tools such as smart meters have provided flexibility and resilience, as well as cost savings.
Along with those benefits, however, come new security concerns. According to a McKinsey article on the topic, “utilities have geographic vulnerabilities in consumer-facing devices (either utility owned or simply grid connected) that may contain cyber vulnerabilities that could compromise either a company’s revenue or the overall security of the grid.”
Each IoT device is a potential target for cybercriminals. As Trend Micro notes in a company blog post, “IoT security is critical largely because of the expanded attack surface of threats that have already been plaguing networks. Adding to these threats are insecure practices among users and organizations who may not have the resources or the knowledge to best protect their IoT ecosystems.” The post notes that these security issues include vulnerabilities, malware, escalated cyberattacks and device mismanagement.
Safeguarding Data in an Expanding Threat Landscape
Security is top of mind for the energy sector in the wake of highly publicized ransomware attacks on utilities over the past year. But the attack surface has broadened even further as energy providers have rolled out IoT devices during the pandemic.
Most utilities serve large geographical areas, and unmanned IoT devices have made it more possible to provide uninterrupted service from a more stable grid. However, as McKinsey points out, “both geographic distance and organizational complexity make the industry vulnerable to cyberattacks.”
Still, cyber threats are not insurmountable if companies take a structured approach to security “that applies communication, organizational, and process frameworks along with technical improvements in a few areas can significantly reduce cyber-related risks for utilities,” according to McKinsey.
Common Security Concerns Presented by IoT Devices
Despite their many benefits, IoT devices can become security concerns “by giving cyber criminals access to connected networks, enabling them to steal critical corporate data and user credentials,” according to Fortinet. “Organizations therefore must understand how to secure IoT devices and recognize the top IoT vulnerabilities they face.”
Among the vulnerabilities Fortinet lists, the use of weak and recycled passwords is a common issue. Insecure networks also present a security risk: “Insecure networks make it easy for cyber criminals to exploit weaknesses in the protocols and services that run on IoT devices. Once they have exploited a network, attackers can breach confidential or sensitive data that travels between user devices and the server.”
Improper device management and failing to regularly update and patch software programs can also contribute to a breakdown of security for IoT devices. “This is because vulnerabilities can come from any layer of IoT devices. Even older vulnerabilities are still being used by cybercriminals in order to infect devices, demonstrating just how long unpatched devices can stay online,” according to Trend Micro.
How Utilities Can Better Secure IoT Devices
Minimizing the risk inherent in the use of IoT devices requires the application of some best practices, including password management, network segmentation and cloud-based solutions.
Strong passwords can help prevent many cyberattacks. Trend Micro recommends identifying password managers, who can help users create unique and strong passwords that can be stored in the app or software itself. This practice is especially necessary for IoT devices, since they have limited computational abilities and minimal space for the robust data protection and security required to defend against cyberattacks.
Network segmentation is another tool that can be employed to minimize risk. Creating independent networks for devices and guest connections can help prevent attacks from spreading and isolate individual problematic devices so they can be taken offline before causing too much damage.
Trend Micro also suggests a greater reliance on cloud computing: “The IoT and the cloud are becoming increasingly integrated. It is important to look at the security implications of each technology to the other. Cloud-based solutions can also be considered to deliver added security and processing capabilities to IoT edge devices.”