Honeywell makes inroads in securing utilities
Utility installations are the lynchpin of any economy, and are traditionally the first to be secured in the wake of any attack. But beyond physical security, how well guarded is the utility sector from an avalanche of virtual attacks?
One can only imagine the harm that could come from hackers taking control of a country’s entire electricity and water infrastructure.
Whether motivated by financial gains or economic espionage, cybercriminals have already caused losses worth $400bn worldwide, and are increasingly directing their focus on the technological systems operated by various utility providers around the world.
The increased adoption of technology and data in the Middle East have completely transformed the power and utilities sector, allowing companies to use information to improve and expand services, and better engage with customers.
The rising demand for power is driving a wave of new investments in the region, with the power sector expected to grow at a rate of 8% over the next 10 years, according to the MENA Power report, which forecasts an expenditure of more than $500bn on future utility projects in the same period.
The need for improved reliability and availability of utility services is giving rise to investments in smart solutions such as smart metering and smart grid that leverage big data, Internet of Things (IoT) and cloud technology.
The flood of data from customers, smart meters, operational assets and the power grid is a major cause for information security concerns within the utilities sector.
Data from a survey conducted by Ernest and Young (EY) shows that 80% of utility companies have witnesses an increase in externa threats, with mobile computing, malware and phishing the most prevalent concerns.
But while they may recognise the threats, only 11% of survey respondents said they felt their current information security measures fully meet their organisation’s needs, 60% are running no or informal threat assessments while 64% believe that their security strategy is not aligned with today’s risk environment.
It is a trend that worries cyber security solutions providers who feel that the scale of threats is not widely understood by industry players and are now calling for a complete change in the approach for securing vulnerable utility infrastructure and systems.
The story of critical infrastructure security is part of a familiar narrative of the clash between old technology and new cyber threats, between government regulation and company motivation, and between cost and security – with security consequences unique to critical infrastructure.
“A large section of the existing utilities infrastructure is old and not resilient enough to withstand the emerging cyber threats,” says Safdar Akhtar, business development director - cyber security, Honeywell Process Solutions.
Akhtar says that a complete change in attitude and approach is required to lessen threat levels, and to boost the security of all attack vectors at any given unit that could be a potential target.
Critical infrastructure systems including the electrical grid and water disbursement are in need of some serious security overhauls to prevent the hacking threats currently impacting those sectors, he says.
“What we are witnessing is mostly a reactive approach where companies deploy security solutions only after threats become palpable. But to guarantee high availability, reliability and safety, the entire system must be insulated from current and future threats because attackers are always changing tactics.”
A number of companies tend to give less attention to real possible targets and instead focus on areas such as data, which downplays the very real possibility of cybercriminals taking control of essential resources.
With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks, and can have a physical impact in the real world.
“It makes economic sense to make a single investment in a security solution that will protect your infrastructure for many years ahead rather than waiting for a threat to happen and then take action,” says Akhtar.
In fact, the real awakening to the reality of cyber threats in the Middle East is as recent as five years, and this comes at the back of a series of cyber-attacks at some of the region’s largest installations.
In 2012, Saudi Aramco was attacked by hackers who were able to infect 30,000 of the company’s computers with the Shamoon worm. Although gas and oil production was not disrupted, the company’s networks were brought down by the attack.
Only days after the attack on Saudi Aramco, computer systems at Qatari energy firm RasGas were taken offline by a computer virus. Although production was not hit by the attack, it forced the firm to shut down its website and email systems.
The Stuxnet worm, first discovered in June 2010, clearly demonstrated that worms and related types of malware can successfully infiltrate programmable logic controllers or other types of hardware and cause significant damage, after it destroyed nearly 20% of Iran’s centrifuges.
AnonGhost, a politically motivated group of hacktivists, has issued a warning saying that is planning to launch cyber-attacks on energy companies globally, including Adnoc and Enoc in the UAE, for using the dollar in oil trades.
In a 2013 report, one electric utility reports that it endures roughly 10,000 attempted cyber intrusions on a monthly basis
Dealing with highly focused and highly skilled attackers who perpetrate sophisticated incursions into the utility infrastructure, requires a robust and integrated set of capabilities. To prevent such incidents from occurring, utility organisations in the Middle East need to detect cybercriminal activity and respond quickly to suspicious behaviour and resolve the issue at hand.
“It is important that they implement IT security solutions that integrate network, endpoint and malware analysis, threat intelligence and remediation capabilities and don’t just deliver rapid detection and response, but continuous automated incident resolution,” says Akhtar.
“But most importantly, any solution must take people into consideration, both as strong and weak points in securing a system.”
In October 2012, a contractor at a US power plant accidentally infected a turbine control system with a worm delivered via a USB drive and took the power plant offline for three weeks.
The scale of the damage could have been unimaginable had the contractor been an accomplice working with cyber criminals from inside.
In a recent report by PWC, 67% of participants said that within the past year, they have had at least one security compromise that led to the loss of confidential information or disruption to operations.
The report also revealed that 47% of the attacks came due to negligence on the part of staff members.
“People must be provided appropriate training to guide them in working on sensitive systems. At the same time, measures should be put in place to restrict movement of unauthorised personnel at the installation,” says Akhtar.
Honeywell has devised a six cycle security solution to help detect threat vectors within the utilities sector and provide real time remedies to any potential security breach.
The Honeywell Industrial Cyber Security Risk Manager has been designed to simplify the task of identifying areas of cyber security risk, providing real-time visibility, understanding and decision support required for action. It monitors and measures cyber security risk in multi-vendor industrial environments.
Honeywell is able to conduct predictive analysis to determine future threat trends and provide end to end vendor diagnostic solutions from any location.
“We are working with a number of companies around the world and helping them to conduct full assessment of their infrastructure, their policies, and compliance to regulations. Based on our findings, we build the most optimised design for them.”
“Bearing in mind that there are a number of old infrastructure, our solutions are tailored to meet the specific security requirements of each installation. We will advise a client if the infrastructure needs a complete overhaul.”
Honeywell has made significant investments in a cyber security lab to help identify vulnerabilities through various diagnostics techniques geared towards the creation of a more resilient system.
Next year, Honeywell will build a $1.5mn state of the art cyber security lab in Dubai, the first ever outside USA, and will use it to remotely monitor installations in the region to protect them from any possible attacks.
The reality of cyber-attacks has seen a significant increase in budgets for IT security worldwide with some utility companies creating divisions dedicated to cybersecurity.
General Electric is reported to have so far invested over $1bn into the Industrial Internet and cybersecurity solutions.
Last year, GE acquired Vancouver-based Wurldtech, which specialises in security software that protects big industrial sites used by the energy, chemical, nuclear and manufacturing industries at an undisclosed sum.
Established IT companies are increasing cybersecurity solutions that target the utilities sector, as the industry becomes a clear target for cyber criminals.
Microsoft has invested more than $2bn improving smart and cybersecurity solutions for utilities infrastructure.
As the drive to connect citizens and devices through smart city initiatives gain momentum in the Middle East, the threat of cyber-attacks remains real and its potential to ruin these dreams is inescapable.
This probably explains the growing market for cybersecurity solutions in the region estimated to reach $13.43bn, according to a recent report by Cybersecurity Ventures.
IT security providers and industry analysts concur that any strategies towards achieving a virtual community must prioritise cybersecurity and suppress it at all levels.