Share
This article was featured in Utility Fleet Professional by Gary L. Wollenhaupt
FLEET CYBERSECURITY SHOULD BE PART OF A UTILITY’S OVERALL IT SECURITY POLICIES AND PROCEDURES.
If you’re a utility fleet manager who isn’t thinking about cybersecurity, the question is, should you be?
Cyberattacks on utilities increased by more than 200% in 2023, according to a report from asset intelligence firm
Armis. In May, the U.S. Environmental Protection Agency warned water utilities of a heightened risk of attack from foreign states.
“Vehicles are collecting a lot of data related to utilities and infrastructure and also customer information, so there are many different points of exposure,” he said. “It represents a huge risk, but it’s an area where we don’t see a lot of focus because it is a smaller portion of the broader cybersecurity world.”
Over the past few years, utilities have been disabled by breaches that have impaired service to customers and disrupted payments and other activities. Water providers and the electric grid have been favorite targets for bad actors who demand ransom or cause operational problems.
Ransomware is a common type of attack. The attackers don’t care about the utility’s operations. They simply shut off access to information technology systems and will only turn it back on in exchange for payment. Other attacks are bent on destruction for nefarious commercial and geopolitical purposes.
Attackers have found their way in through devices still using default passwords or employees providing their login information through a social engineering hack. Could fleet vehicles be a new route for cyberattacks?
With the addition of electric and connected vehicles to fleets, the number of attack vectors finding their way into utilities is multiplying, according to Sameer Tejani, a director at global strategy consulting firm Stax.
“Vehicles are collecting a lot of data related to utilities and infrastructure and also customer information, so there are many different points of exposure,” he said. “It represents a huge risk, but it’s an area where we don’t see a lot of focus because it is a smaller portion of the broader cybersecurity world.”
How can utility fleets defend against cyberattacks?
First, understand that fleet cybersecurity is a shared risk. Compare it to the world of cloud computing, where responsibilities are divided between security of the cloud and security in the cloud. A cloud provider like Amazon Web Services is responsible for its infrastructure. Users of the cloud are responsible for their applications and databases.
The same holds true in the fleet management world, with a growing number of telematics and other internet-connected services creating shared risks among providers and fleet operators. Each connected vehicle or asset is actually an endpoint on the internet.
“The distributed nature of fleets and the high number of stakeholders make it difficult to clearly define cybersecurity responsibilities,” said Ryan Cryar, a cybersecurity and resilience researcher at the National Renewable Energy Laboratory. “It is ultimately the responsibility of each organization to ensure that their portion of this distributed technology is secure and requires the purchasers to do due diligence in understanding the cyber maturity of the product.”
Fleet cybersecurity should be part of a utility’s overall IT security policies and procedures.
“Adoption and integration of fleet technology comes with cyber risk, so it is important to assess the technology, its capabilities, and understand where the boundaries need to be drawn such that it only has the required pathways for it to function,” Cryar said. “Given this complexity, it can be difficult to pinpoint where there are cybersecurity gaps or attack vectors if there is insufficient visibility into these systems.”
Some breaches have come through contractors and suppliers, so it’s critical to recognize those risks as part of overall security standards.
“Each organization needs to ensure that they have mature cyber practices, including assessing the cyber practices of their suppliers and partners,” Cryar said.
While managers come to grips with the risks of a connected fleet, cybersecurity best practices are essentially universal. Securing technology appears to be the easy part. The difficulties lie in ensuring people working with the equipment are well trained to recognize and prevent problems.
“The No. 1 threat from a cybersecurity standpoint is still the users who didn’t have to log in to a system to go to work before,” Tejani said. “The No. 1 priority for fleets is training and best practices around all elements of data security.”
7 Best Practices to Know About
Basic cybersecurity hygiene is the first line of defense against attacks, more so than exotic technology solutions. Here are seven best practices to know about.
1. User training.
The biggest vulnerability is users, both internal and third parties. Require documented training for employees and contractors.
2. Strong passwords.
Change default passwords on all devices and use strong passwords.
3. Prevent phishing attacks.
Training users will help them avoid providing unauthorized access through emails and phone calls.
4. Understand responsibilities.
Be clear on the utility’s security responsibilities versus those of providers.
5. Endpoint security.
Identify and mitigate vulnerabilities of vehicles and connected devices.
6. Backup and recovery systems.
Have systems for fast recovery in the event of an attack on critical systems, including fleet operations.
7. Operational resilience.
Develop a plan for the eventuality that an attack will succeed, including how your fleet and utility will respond.
Read More
