Thankfully, no power outages resulted from the cyberattack. However, it did knock out communication between the control center and the generation sites, as well as field devices at those sites. Though the outages lasted less than five minutes, it was a stark reminder that firewalls aren’t guaranteed to protect utilities from highly-effective cyber warfare tactics.
In this case, the firewall itself was the security issue. Cybercriminals used vulnerabilities in the firewall’s website interface to gain entry into the utility’s system, causing constant reboots over the course of 10 hours.
Firewalls are the first line of defense of any organization’s cybersecurity. They keep malware out of your system by shielding it from suspicious traffic. They can also prevent cyberattacks that occur over the internet.
Still, that’s just the starting point when it comes to protecting your electric cooperative’s IT and OT/SCADA systems. There are many threats a firewall can’t protect you from that require different tools.
Think of cybersecurity as having many layers. A firewall is an outermost layer much like the fence around a property. It can keep the wrong things from coming in or leaving, but it won’t protect you from issues that are already inside the property. To be fully protected, you need additional tools that augment the firewall. For example, a firewall can’t stop files from being deleted or a USB drive contaminated with malware from getting plugged into your system. It can’t stop data leakage or employees from clicking on dangerous email links that get through.
Firewalls also tend to give you a false sense of security because of the widely held misconception they are a one-time, set-it-and-forget-it technology. In reality, to be effective, someone needs to update the firewall regularly. Some firewalls have expiration dates and don’t receive support or updates after a specific period. Even a next-generation firewall, which proactively identifies and stops attacks by learning suspicious behavior, needs to be appropriately configured to prevent attacks.
Ultimately, though an essential part of an overall security setup, firewalls only address specific types of threats. Someone or something must still address your co-op’s other vulnerabilities.
Unfortunately, there are plenty of enemies within the gate, sometimes acting intentionally, other times inadvertently creating vulnerabilities.
For example, disgruntled employees can pose a significant threat to your electric cooperative. Already behind the firewall and familiar with the system, they could mass delete files or intentionally install a virus.
A less malevolent (but no less dangerous) threat is shadow IT. This is any software, applications, or firewall exceptions team members install or enable, usually to eliminate steps in a process or make their jobs easier. Though they may not have malicious intent, it’s not uncommon for employees to weaken a firewall by adding an excess number of exceptions to it so they can complete a task more quickly. Some of the applications an employee may innocently install may create backdoor access to the co-op’s system.
Not every piece of malware gets into your co-op’s system through a firewall, either. Computer viruses and other attacks can just as easily get into your system through a USB stick someone has brought in from outside. Again, this may even happen unintentionally.
Firewalls may also not be able to protect your co-op from data leakage, or the unauthorized transmission of data leaving your electric co-op. Normally, data leakage happens through the web or email but it is possible to cause data to leak through hardware.
State-sponsored organizations have been known to purposely sabotage equipment so that it leaks data from the organization. Often, this happens in such small amounts even a firewall won’t detect something is wrong because the device is supposed to send data as part of its normal operations. Imagine buying a brand-new switch, manufactured overseas, only to discover much later it had been sending sensitive data about you the entire time the leak was unknown. In this situation, even an advanced firewall may not be helpful.
Most data leakage, however, is done using malware specifically designed to slowly leak information out of your cooperative.
Regardless of how it is occurring, data leakage is a very real threat that must be addressed. Simply relying on a firewall to keep your data safe will not keep your electric cooperative safe from this specific kind of cyberattack.
Firewalls also don’t necessarily scan for vulnerabilities. They don’t provide security information event management or SIEM. At its core, SIEM takes all the information from each component of your cooperative’s security system and puts it in one place, analyzing events in real-time. A firewall’s activity would be just one thing a SIEM monitors.
To protect your electric co-op there are several additional steps you need to take to augment your firewall’s protection. These steps bolster your system’s overall security while filling in any gaps a firewall leaves.
The devices your employees use to work on a network all need to be protected. These especially include any devices your team members take home like laptops, tablets or phones because they are used outside the perimeter of the organization’s firewall. Since this is the case, endpoint devices are a common point of attack for hackers.
Most end-point protection is software that is installed on the device, such as antivirus software, but it can go deeper than that and include hardware as well.
Setting good organization policy and educating employees about how to safely use endpoint devices, especially when using them remotely, is also an important part of endpoint protection.
Proactive threat hunting
In today’s cyber environment, it’s not enough to simply defend against attackers. A decade ago hackers were poorly skilled and could be successful because most organizations had poor security. Today, however, highly-skilled cyber criminals are using sophisticated attacks against medium- to large-sized businesses that actually have decent security measures in place. That means despite your best efforts, you probably already have some threats inside your system.
These attacks, once inside a system, are engineered not to trip any existing defenses.
That’s why proactive threat hunting is so important. This usually means a combination of different software suites and services to scan systems and identify potential threats. It also includes “honeypots”, which are essentially traps set for hackers that allow monitoring services to learn malicious behavior and respond to attacks accordingly.
Regular security audits and penetration testing
Regularly auditing your electric co-op’s overall security helps to find any gaps that may exist due to the ever-changing cyber landscape and ensure you are doing everything you can to keep your cooperative safe and operational. These audits are often a combination of a paper questionnaire and software-assisted assessments.
Penetration testing is using simulated attacks against an organization to assess your co-op’s vulnerability. Constant scanning goes a long way towards bolstering the overall security of a system because it closes gaps quickly before attackers can discover them.
The ever-shifting, multiple layers of cybersecurity is precisely why my colleague Casey Davis and I created TITAN, our purpose-built cybersecurity suite for electric cooperatives.
TITAN uses what’s called a next-generation firewall. This type of firewall is proactive. Instead of merely stopping whatever malware is on its “no entry” or “no exit” list, a next-generation firewall studies the traffic going in or going out of a system and, in the case of malware, can isolate and neutralize the attack based on abnormal behavior.
And, TITAN is a SIEM tool, which means it combines security incident and event management. Each of TITAN’s different components work together to monitor systems and identify issues in real-time. The vulnerability scanning is constant, too. Once your entire co-op’s network and systems are scanned, TITAN just starts right from the beginning to do it again. All of these components work together to provide complete, multi-layer protection for your electric cooperative.
TITAN puts all that information onto a web-based dashboard so even if your co-op doesn’t have a huge IT team you can still understand your security posture and network performance in real-time. Behind that dashboard is our U.S.-based SOC team. They analyze the information and address any cyberattacks that occur 24 hours a day, seven days a week.
It’s easy to become overwhelmed when it comes to cybersecurity, especially when one considers the sheer number of ways cyberattacks occur. A firewall can feel like a total solution. To some degree, they seem complete and straightforward.
Suppose you want to sleep at night knowing you’ve done everything possible – inside and out – to protect your electric co-op. In that case, you need to go beyond firewalls and invest in a comprehensive solution that can adapt to the changing threat landscape.
Contact SkyHelm today to learn more about how TITAN provides the protection electric co-ops need. .