With the advancement of digitization and the industrial internet of things (IIoT), industrial energy environments are increasingly interconnected and remotely accessible. Historically, this hasn’t been the case, but with these advancements, these previously inaccessible industrial control systems, owned by critical infrastructure providers, are now accessible, often unsecured, and frequent targets of cyberattackers.
The costs of such an attack can be significant. In addition to a potential ransomware payout, these critical infrastructure providers face the possibility of unacceptable downtime, theft of sensitive data, and the ever-looming threat of a catastrophic event, should a bad actor gain control of critical industrial systems.
How are these attacks happening? Unfortunately, third-party partners are the most common entry point, with 63 percent of breaches attributed to third parties. These third parties and contractors are granted remote access to industrial control systems and IIoT to provide timely support and ongoing maintenance through a variety of solutions, such as unsecured desktop sharing tools and unmonitored VPNs. However, these tools can make networks more susceptible to attacks, leaving utility companies without the centralized oversight, visibility, and control they need over their third parties.
Take the recent example of the cyberattack on a water plant in Oldsmar, Florida in early 2021. A bad actor was able to easily gain remote access via a remote desktop sharing tool and adjust the ratio of sodium hydroxide in the water supply to dangerous levels. Luckily, an employee saw this attack happening in real-time and was able to immediately react before anything catastrophic happened. This is just one example of many, highlighting the increasing risks utility and energy organizations face with unsecured remote access methods.
Correspondingly with this increase in cyberattacks, there are also growing compliance requirements that the energy sector and utility industry face specifically around third parties and their access to these critical environments. Take North American Electric Reliability Corporation (NERC) compliance for example: The NERC CIP (critical infrastructure protection) cybersecurity standards were recently updated to directly address third-party access requirements and overall risk management of an organization’s supply chain. If an organization is using a variety of ad-hoc remote access methods, NERC compliance requirements, as well as others, can be difficult to meet.
With increasing regulatory requirements and a growing number of cyberattacks and threats against the energy and utility sectors, these organizations cannot ignore the cybersecurity risks associated with their third parties and supply chain and the consequences for failing to fully secure third-party industrial remote access.
Breaches and cyberattacks against the energy sector and utility companies are rising at an alarming rate. Learn more about the recent changes to the NERC CIP cybersecurity standards and how a dedicated third-party access management platform can help ensure your compliance and secure your network.