Utility infrastructure is in dire need of modernization. In many parts of the world, the infrastructure delivering power and water to consumers is not ready to withstand natural disasters and rising energy demands. Integrating real-time data analytics into the decision-making process is one way to kick start modernization efforts, yet nearly one in five utilities are not making use of the tools they have due to security and data privacy concerns, according to Itron’s 2022 Resourcefulness Report.
While there are security implications to consider, forgoing deployment of data analytics tools is not a long-term solution for utilities. To meet the demands of customers while also prioritizing security and privacy considerations, utility companies need to pursue a holistic security program that encompasses both operational technology (OT) systems as well as those that store and service customer data.
Utilities face unique complexities
Cybersecurity is a priority across industries and borders, but several factors add to the complexity of the unique environment in which utilities operate. Along with a constant barrage of attacks, as a regulated industry, utilities face several new compliance and reporting mandates, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Other security considerations include aging OT, which can be challenging to update and to protect, the lack of control over third-party technologies and IoT devices such as smart home devices and solar panels, and finally, the biggest threat of all: human error.
These risk factors put extra pressure on utilities, as one successful attack can have deadly consequences. The instance of a hacker attempting to poison (thankfully unsuccessfully) the water supply in Oldsmar, Florida is one example that comes to mind.
Utilities have a lot to contend with even before adding data analytics into the mix. However, it is interesting to point out that consumers are significantly less worried about the privacy of data collected by utilities. According to Itron’s 2022 Resourcefulness Report, 81% of utility executives are extremely or very concerned about ensuring the privacy of customer data. On the other hand, less than half (42%) of consumers say they are extremely or very worried about utilities having access to their energy and water usage data to personalize their customer experience. In fact, many consumers want more access to these advanced insights, so they can reduce their energy use and save money.
The data indicates that consumer opinion is on the side of data analytics. To meet the demands of consumers, utilities cannot allow broader OT security concerns to slow down deployment of data analytics tools – so what steps can utility companies take to mitigate these concerns and protect consumer privacy?
Three steps to protecting data
There are three key steps utilities can take to protect the massive amounts of data collected to make real-time data analytics a reality. With a holistic approach that covers both OT systems and those that store and service customer data, utility executives can feel more confident as they modernize technology.
Let’s dive into these three steps further.
1. Protect IT and OT from one another by building robust demilitarized zones (DMZ)
Demilitarized zones (DMZs) provide strong network segmentation and, for utilities, a barrier between IT and OT environments. This prevents a hacker from using more traditional hacking methods to get into a utility’s IT network and then gain a foothold in the operational side of things. In addition to separating IT and OT systems as much as possible, companies should also strive for the utmost simplicity in their networks. The more complex a system is, the more holes exist across the IT network. Malicious actors are experts at detecting and exploiting these holes.
However, like with any strategy, nothing is foolproof. Therefore, utilities should have a backup in place to both detect and contain an infiltration and reduce downtime in the case of a successful attack.
2. Address the human element
While advanced precautions for enterprise systems and networks are critical, we must remember that the biggest risk to cybersecurity will always be human error. Standard defenses—multi-factor authentication, role-based access controls, internal audit processes, spam filters, preventing Microsoft Office macros, endpoint detection and response, data loss prevention solutions, etc.—go a long way to making it easier for employees to make the right decisions and tougher for bad actors to get in.
According to the IBM’s annual Cost of a Breach report, “ransomware and destructive attacks were responsible for more than a quarter of breaches in critical infrastructure industries.” With this threat in mind, it is also wise to establish company-wide security awareness training to ensure a security conscious culture. End users should be aware of all possible threats, including those within home devices.
3. Layer additional defenses on the most valuable targeted assets
Start with establishing a zero-trust architecture, operating under the assumption that no internal or external users can be trusted. Next, apply protocols to verify which devices, applications and users can access networks and systems. When exposing any services to the internet, leverage industry best practices by selecting proven and independently tested and verified technologies.
Once third-party penetration and vulnerability testing determines what is most likely to be targeted by hackers, utility companies can determine their most vulnerable and valuable targeted assets and add extra levels of protection, such as encryption or multi-factor authentication. Couple these precautions with robust operational best practices, including comprehensive monitoring and a strategic incident response plan.
Change is difficult, but inevitable (and beneficial)
The utility industry faces several disruptions beyond cyberattacks and privacy concerns, diverting executives’ attention in many different directions. This includes integrating renewables, accommodating electric vehicles and preparing for extreme weather events – all while dealing with the adverse effects of an aging infrastructure and grid. However, it’s important to point out that there is support for utilities focusing on hardening their cyber defenses. For example, the Infrastructure Investment and Jobs Act (IIJA) included significant funding for cybersecurity efforts – a big win for US utilities.
Data analytics have proven to be a sticking point for utilities on their quest toward modernization. However, once cybersecurity concerns are addressed and utilities embrace the power of real-time data analytics, critical infrastructure will become more reliable and resilient. Ultimately, it will be what keeps the lights on and water flowing.