Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Julian Jackson
Julian Jackson
·Posted in Intelligent Utility
Thu, Oct 19

Cybersecurity Threats Against Legacy Systems

The utility industry is bedeviled with a problem of legacy systems: old, but still functional technology that is expensive and disruptive to replace. This is the same with its legacy computing systems. Unfortunately, while an aging grid network is a problem, outdated software could be a terrible liability if it allows malicious actors to target vital power systems.

Industrial Control Systems (ICS), often called Operational Technology (OT) are used in almost all infrastructures handling physical processes. Applications range from energy production and distribution, gas and water supply, and facility management, among others.

Some of the key cybersecurity risks associated with these systems include:

  • Legacy systems: Many ICS and OT components are built on older technology that lacks modern security features. Upgrading these systems is expensive, time consuming, and can leave vulnerabilities
  • Outdated permissioning and access provision: this can allow attackers in through less partitioned segmentation, so they can hijack control systems
  • Inadequate security policies and practices: many organizations do not have comprehensive security policies and practices specifically designed for their ICS and OT environments. This can result in insufficient protection, monitoring, and incident response capabilities
  • Training and awareness issues: workforce in OT environments may not be aware of cybersecurity best practices, making them more susceptible to social engineering attacks or unintentional insider threats
  • Supply chain risks: many components are often sourced from third-party vendors, which introduces supply chain risks. If a vendor’s security is compromised, it could impact the end-user’s ICS and OT environment
  • Remote access vulnerabilities: The increasing need for remote access and monitoring of ICT has introduced new attack vectors. If remote access is not carefully controlled it can be a vulnerability

Attackers are constantly probing to find vulnerable areas they can exploit. For example, there is an issue of malware on USB thumb drives. Users might think an “air-gapped” computer, not connected to the internet was safe, but it could be compromised by inserting an infected USB stick into it.

Human error is of course, a major problem for legacy security teams. It's easy for people to make a mistake, or click on a bad link; particularly old systems often have makeshift “workarounds” that someone came up with to keep an aging system functioning without the relevant security checks.

IoT and Botnets are also an increasing challenge. Having many increasingly-connected devices is very useful for all sorts of purposes within the utilities sector: why send someone to look at miles of overhead lines, when a sensor could tell you what and where the exact problem is? However the downside of this is that these systems add complexity and vulnerabilities.

 

Protect Your Organization Against Legacy Security Threats

  • Ensure your systems have a small attack surface by using Remote Based Access Control (RBAC)
  • Use Zero Trust policies to address accidentally-insecure legacy systems, as well as IoT sensors and controllers
  • Isolate critical infrastructure from ICT devices, production networks, office automation, and general workforce by using segmentation strategies
  • Implement two-factor authentication, including biometrics (e.g. fingerprint, voice, facial recognition, etc.), and establish role-based Identity and Access Management (IAM) for all employees, as well as privileged identity management (PIM) for administrators
  • Utilize Security Information and Event Management (SIEM) with centralized visibility and analytics for OT security events, enabling organizations to detect, prioritize, and respond to potential threats more effectively
  • Restrict access to “legacy management ports” (i.e. serial port) and implement logging of use
  • Invest in SCADA/ICS, OT, and IoT-specific security expertise
  • Ensure your systems comply with the latest cybersecurity policies and standards issued by government bodies, law enforcement, etc
  • Implement critical network security controls, increasing the centralization of device management and decision making; encrypting data and traffic to reduce vectors for attacks
  • Use passive monitoring and controls within the OT environment for critical infrastructure

Legacy software,hardware and processes will, unfortunately, be with us for some time as they are deeply-embedded within power systems, which cannot simply be replaced. This is an additional task for ICT and cybersecurity teams to deal with; however it is “better to be safe than sorry”, and addressing these vulnerabilities will make utilities safer from attack in the long run.