A Wall Street Journal article discusses a new set of attacks on electrical distribution providers. These attacks have targeted providers too small to be NERC regulated but may serve a critical infrastructure such as dams or military bases. All but one of the entities that were named in the article says that the Phishing e-mails were blocked by malicious content filters and were never an issue for them. However, one facility chose not to comment.
The point is that hackers aren’t necessarily biased based upon organizational size. They don't always target large utility infrastructures. Cybercriminals often target smaller, sometimes less protected utilities that are supporting critical infrastructure. If they can attack one of these facilities and shut down the power, it could result in catastrophic events and loss of life.
Unfortunately, some entities can believe that they’re too small to be hacked. The truth is, state-sponsored hackers don’t care how big you are. They care about the damage they can cause.
What can be done to protect these small non-NERC registered entities? Below is a list of six cybersecurity best practices that can be put in place to stop many potential attacks.
1. Physically secure your important systems.
You can never be cyber secure unless you are physically secure. Make sure that servers and control systems are behind locked, monitored doors. Also, make sure that the people in your building belong there and that visitors are not allowed to roam around by themselves.
2. Complete a Risk Assessment.
Perform a Risk Assessment of your facility, employees, and vendors. This will help you to understand those risks that could negatively impact your organization. Once you know and understand the risks you face, you can then determine ways to avoid or mitigate them.
3. Separate the IT network from the Utility Control network, or OT network.
It should not be possible for anyone on the control network to receive e-mails or access the Internet. No control network or SCADA system should ever be connected to the Internet.
4. Educate your employees.
Train your employees on how to recognize a Phishing or otherwise suspicious e-mail. Teach them to not even open an e-mail that they think may be malicious.
5. Utilize outside resources.
Have an outside contractor perform cyber vulnerability assessments or penetration tests on both your IT and OT networks. These will highlight systems that may need to be updated or protected in different ways. An outside contractor is recommended. Your internal IT people likely know where all the problems are and will avoid them to potentially look better. Think of it as grading your own final exam for a class, most people will end up with an A.
6. Keep Windows Updated.
Load Windows Updates as soon as possible when they are released. Many attacks that have happened in the past could have been avoided if people had loaded patches that were released months or years before the attack happened.
These steps will not stop all attacks, such as an attack by a “trusted” employee, but they will reduce the risks that you face. If you would like help with any of these steps, Velta Technology’s Cybersecurity Team combines traditional IT best practices with a deep understanding of both IT and OT networks as well as critical infrastructure systems.
Our team of cybersecurity experts draws upon extensive knowledge and experience across several relevant areas including risk management, operations, and human factors. This helps ensure all testing and suggested mitigation measures are tailored to your needs and the specific needs of your organization.
Be proactive versus reactive. To talk about cybersecurity protection for your organization, contact the Velta Technology Cybersecurity Team today.