Utility industrial control systems: the top six utility ICS security weaknesses

A look at cybersecurity in the utilities industry and findings from a 2019 ABI Research paper looking into the cybersecurity risks in utility industrial control systems with data on smart infrastructure investments and the gap with cybersecurity initiatives.
By 2023, connected utility infrastructure will have essentially doubled in size, exposing utility companies to a myriad of cybersecurity risks (ABI Research)

It’s impossible to talk about Industry 4.0 or industrial transformation (IX, in analogy with DX which stands for digital transformation) these days. And so it should be – also and maybe even more so in the utilities industry. The Ukraine power grid attack cyber attack is still a powerful reminder of why – and it’s not the only one.

Even if we often talk about industrial control systems (ICS) when it concerns cybersecurity in industrial markets such as the utility industry most of the attacks so far have been happening in IT networks (although both are connected). Yet, it’s clear that cybersecurity is key for utilities and that security in industrial control systems matters – and increasingly will matter as digitalization is ongoing.

As the TÜV Rheinland Cybersecurity Trends 2019 report made clear industrial cybersecurity is years behind. We’ve previously covered some of the main challenges in industrial markets such as manufacturing and, so, in this article it’s time for the utility industry.

The 6 Biggest Cybersecurity Risks Facing the Utilities Industry - Undetected unauthorized activity in critical systems is the number 1 cybersecurity risk to utilities says ABI Research

Cybersecurity in utilities as infrastructure modernization is on the rise

Perhaps it’s worth noting that end 2018 IDC predicted that by 2020 managing the risk of operational technology/IT cyber attacks and data privacy compliance will cost utilities an average of 1% of annual turnover in 2020.

The trigger for this small article on utility ICS security weaknesses is a white paper on the topic by market-foresight advisory firm ABI Research. The paper doesn’t just cover the main utility industrial control system risks but also looks at investments and provides some advice. The main challenge for utilities, according to ABI Research: unauthorized activity in critical systems.

The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry. Unfortunately, the security policies of many utilities have not evolved along with it, leaving them incredibly vulnerable.

The utilities industry is going through transformation, driven by technological factors, increased competition, the ongoing need to optimize operational efficiencies, a growing focus on energy efficiency and clean energy, calls for innovative approaches, the shift towards distributed energy and changing customer expectations to name a few. Regulations are obviously never far away.

The industry is rapidly modernizing its infrastructure ABI Research says. The company projects that the utilities industry will spend $14 billion a year until 2023.

In the period 2018-2023 that means a total of $84 billion (note: the majority being hardware such as smart meters – it does not include spend on items related to upgraded control systems such as PLCs, DCCs or SCADA software).

“While investments in digital infrastructure will remain very high over the next several years, investments in securing that infrastructure will lag behind” ABI states.

Utility ICS security weaknesses

There is a growing gap between threats and spending as only 55% of the total security spend in the next 5 years will be on securing smart infrastructure (with total security spend including security spend in IT networks, systems, and data; countermeasures; ICS and policies & procedures).

The 6 biggest cybersecurity risks facing the utilities industry - the overlooked weaknesses in today’s modern, interconnected utility infrastructure - download the white paper
The 6 biggest cybersecurity risks facing the utilities industry – the overlooked weaknesses in today’s modern, interconnected utility infrastructure – ABI Research white paper

Along with the growth of connected utility infrastructure, exposure to cybersecurity risks increases. It’s the flip side of the ‘positive paradigm shift’ caused by more digitized equipment and connectivity across devices, plants and system (Industrial IoT) which enables that evolution to smart infrastructure.

Below are the six major – and most pressing as ABI Research adds – risks for the utility industry.

You might know them, but the white paper looks a bit deeper and provides some data on what the main utility industrial control systems risks are since that’s a dynamic given – the most prevalent ICS security weaknesses are expected to change by 2023 as compared to 2017. That changing ranking and the underlying dynamics are part of the paper.

  1. Boundary Protection (undetected unauthorized activity in critical systems).
  2. Physical Access Control (unauthorized physical access to, among others, maliciously modify, delete, or copy device programs and firmware).
  3. Allocation of Resources (personnel, knowledge).
  4. Least Functionality (increased vectors for malicious party access).
  5. Identification and Authentication (lack of accountability and traceability).
  6. Account Management (compromised unsecured password communications).

Most prevalent utility industrial control systems ics security weaknesses

As these threats continue to mount, it’s imperative for companies within the utility space to deploy secure IT/OT solutions ABI says. In the whitepaper you can find considerations and recommendations for shoring up IoT architecture and integrated security capabilities and read more on the mentioned findings with details on those top 6 weakness categories in utility industrial control systems.

You can download “The 6 Biggest Cybersecurity Risks Facing the Utilities Industry” here.