A new study published Friday finds that cyberattacks on the operational technology (OT) involved in running critical utilities are increasing and says these attacks have the potential to cause “severe” damage.
The report, compiled by the manufacturing company Siemens and the Ponemon Institute, is based on survey responses from 1,700 utility professionals worldwide and focuses on cyber risks to electric utilities with gas, solar, or wind assets, and water utilities.
“The survey results show that risk is worsening, with potential for severe financial, environmental and infrastructure damage,” Siemens and the Ponemon Institute wrote in the report, also noting further down that “the risk that cyber attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves.”
The OT involved in utilities refers to machines, networks and systems that are involved in transmitting or distributing power, as opposed to the information technology involved, which refers to computers and mobile devices that enable business operations.
The report was released in conjunction with an event on the “state of OT security in the utilities industry” hosted by the Atlantic Council on Friday.
Former Homeland Security Secretary Michael Chertoff spoke at the event, sounding the alarm on what he described as a “real national security issue.”
“Power and energy is the core of almost everything we do. Nothing in our modern society can function without access to power, and it’s the utility industry that provides that to everybody, which is why this is an urgent matter of national concern,” Chertoff, who served under former President George W. Bush, said.
The majority of those surveyed, around 54 percent, reported that they expect a cyberattack on critical infrastructure within the next year, and 64 percent described cyberattacks as a “top challenge.”
“Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages,” Siemens and Ponemon wrote.
The cyberattacks have already taken their toll on utility groups, with 25 percent of those surveyed reporting being the subject of “mega attacks” potentially engineered by “nation-state” actors. These more advanced attacks make managing the security of the OT involved in utilities more difficult, with 64 percent of respondents citing concerns around the increasingly sophisticated attacks.
“Because many utilities manage infrastructure critical to daily life, nation-states and other malicious actors have an interest in developing cyber weapons that target utilities,” the groups wrote. “Individuals and criminal organizations may now also have the backing of nation-states, or state-aligned proxy groups, interested in damaging physical assets, and may use potent cyber warfare tools originally developed by nation-states.”
While the report did not mention any nation-states by name, the 2019 Worldwide Threat Assessment compiled by former Director of National Intelligence Daniel Coats found that both China and Russia have “the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure.”
Chertoff also pointed to China, Russia, North Korea, Iran and Venezuela as all having the capability of carrying out cyberattacks or “mischief” on the U.S.
The survey findings were released one week after the Government Accountability Office (GAO) found in a separate report that the Department of Energy (DOE) is not doing enough to protect the electric grid from cyberattacks, with the most vulnerable portion of the grid the industrial control systems that support operations.
GAO criticized DOE for not having developed plans to secure the electric grid against cyberattacks that would lead to a national strategy. Karen Evans, the assistant secretary of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, stated that she “concurs” with GAO’s recommendation on the creation of a federal cybersecurity strategy, and that DOE’s current cyber actions “meet the intent of GAO’s recommendation.”
Despite the negative findings of the report, Siemens and Ponemon described the threat to utilities posed by cyberattacks as “major but manageable.”
“Attackers and defenders will continue to innovate, and the systems used by utilities under normal operations will continue to advance,” the groups wrote. “A sophisticated business that uses digital technologies to operate more efficiently than competitors needs to protect those technologies from attacks.”