The U.S. energy infrastructure is aging: Seventy percent of the power transformers are more than 25 years old, and power plants, on average, are more than 30 years old. Yet threats -- specifically, cyberthreats -- are evolving at a greater rate than the grid can keep up with.
The power grid, was developed before cybersecurity was a concern. In the 80's and 90's, the primary risk factor was physical security threats. Although physical attacks continue to be a serious threat today, cyberattacks pose an even greater threat. In fact, with today's evolving cyberthreat landscape, where viruses, malware and botnets affect consumers (and consumer products), all U.S. grid organizations need to focus on safeguarding the U.S.'s critical infrastructure.
"Energy and utilities systems are increasingly Web-connected. From consumer portals that track online billing to core infrastructure and management tools, the industry is burgeoning," said Robert Jennings, manager critical infrastructure protection and cyber security, Verizon RISK Team. "As the U.S. grid modernizes, so too must the security programs needed to protect the grid."
Currently, the industry is adopting the use of IP networking, computing and other technologies that enable two-way communications from devices such as smart meters, smart routers and smart consumer devices. As a result, the U.S. grid is becoming the smart grid of tomorrow. As new technologies drive more efficient use of the grid, the more they will be adopted in everyday operations. So utilities will need to focus on risk mitigation to thwart potential cyberattacks capable of creating a devastating series of cascading events.
According to Verizon's "2014 Data Breach Investigations Report," 83 percent of attacks facing the energy and utility sector were Web-app attacks, crimeware and denial of service.
Here are some recommended steps to protect the infrastructure:
Use two-factor authentication. Look at soft tokens and biometrics.
Consider switching to a static CMS. Instead of executing code to generate the content for every request, pre-generate pages to reduce the opportunity for exploits.
Enforce lockout policies. Locking accounts after repeated failed login attempts will help to thwart brute-force attacks.
Patch anti-virus and browsers. This could block many attacks, and can be configured automatically as part of a managed-device solution.
Segregate key assets. Keep your most important systems on a separate network circuit so they won't be compromised by an attack targeting other servers.
To learn more, visit http://www.verizonenterprise.com/industry/utility/