The public service infrastructure is in urgent need of modernization. In many parts of the world, the infrastructure providing electricity and water to consumers is not ready to withstand natural disasters and increasing energy demand. Integrating real-time data analytics into the decision-making process is one way to jump-start modernization efforts, but nearly one in five utilities aren’t using the tools they have due to data security and privacy concerns, according to Itron’s 2022 Resource Report. .
While there are security implications to consider, foregoing the deployment of data analytics tools is not a long-term solution for utilities. To meet customer demands while prioritizing security and privacy considerations, utility companies must pursue a holistic security program that encompasses both operational technology (OT) systems as well as those that store and process customer data.
Utilities face unique complexities
Cybersecurity is a priority across industries and borders, but several factors add to the complexity of the unique environment in which utilities operate. In addition to a constant barrage of attacks, as a regulated industry, utilities face several new compliance and reporting mandates, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) . Other security considerations include OT aging, which can be difficult to update and protect, lack of control over third-party technologies and IoT devices such as smart home devices and solar panels, and finally, the greatest threat of all: human error.
These risk factors put additional pressure on utilities, as a successful attack can have deadly consequences. An example that comes to mind is the example of a hacker attempting to poison (luckily unsuccessfully) the water supply in Oldsmar, Florida.
Utilities have a lot to do before even adding data analytics into the mix. However, it is worth pointing out that consumers are significantly less concerned about the privacy of data collected by public services. According to Itron’s 2022 Resource Report, 81% of utility executives are extremely or very concerned about the privacy of customer data. On the other hand, less than half (42%) of consumers say they are extremely or very concerned about utilities having access to their energy and water usage data to personalize their customer experience. In fact, many consumers want more access to this advanced information, so they can reduce their energy consumption and save money.
The data indicates that consumer opinion is on the side of data analysis. To meet consumer demands, utilities can’t let broader OT security concerns slow the rollout of data analytics tools. What steps can utility companies take to alleviate these concerns and protect consumer privacy?
Three steps to protect data
Utilities can take three key steps to protect the massive amounts of data collected to make real-time data analytics a reality. With a holistic approach that covers both OT systems and those that store and process customer data, utility managers can feel more confident when modernizing technology.
Let’s dive deeper into these three steps.
1. Protect IT and OT from each other by building robust demilitarized zones (DMZs)
Demilitarized zones (DMZs) provide strong network segmentation and, for utilities, a barrier between IT and OT environments. This prevents a hacker from using more traditional hacking methods to break into a utility’s computer network and then gain a foothold in the operational side of things. In addition to separating IT and OT systems as much as possible, companies must also seek the greatest simplicity in their networks. The more complex a system, the more holes there are in the computer network. Malicious actors are experts at detecting and exploiting these flaws.
However, as with any strategy, nothing is foolproof. Therefore, utilities must have a safeguard in place to detect and contain an infiltration and reduce downtime in the event of a successful attack.
2. Address the human element
While advanced precautions for corporate systems and networks are essential, we must remember that the greatest cybersecurity risk will always be human error. Standard defenses (multi-factor authentication, role-based access controls, internal auditing processes, spam filters, Microsoft Office macro prevention, endpoint detection and response, data loss prevention solutions, etc.) greatly contribute to facilitating the work of employees. make the right decisions and harder for the bad actors to enter.
According to IBM’s annual Cost of a Breach report, “Ransomware and destructive attacks were responsible for more than a quarter of breaches in critical infrastructure sectors.” With this threat in mind, it is also wise to establish company-wide security awareness training to ensure a security-conscious culture. End users should be aware of all possible threats, including those present on home devices.
3. Layer additional defenses on the most valuable targeted assets
Start by establishing a zero-trust architecture, assuming that no internal or external user can be trusted. Then apply protocols to verify which devices, applications, and users can access networks and systems. When exposing services to the internet, take advantage of industry best practices by selecting proven technologies that have been independently tested and verified.
Once third-party penetration and vulnerability testing determines what is most likely to be targeted by hackers, utility companies can determine their most vulnerable and valuable targeted assets and add layers of protection extras, such as encryption or multi-factor authentication. Couple these precautions with robust operational best practices, including comprehensive monitoring and a strategic incident response plan.
Change is difficult, but inevitable (and beneficial)
The utility industry is facing several disruptions beyond cyberattacks and privacy issues, diverting executives’ attention in many different directions. This includes integrating renewable energy, adapting electric vehicles and preparing for extreme weather events, while dealing with the adverse effects of an aging infrastructure and network. However, it is important to point out that there is support for public services that focus on strengthening their cyber defenses. For example, the Infrastructure Investment and Jobs Act (IIJA) provided significant funding for cybersecurity efforts – a big win for US utilities.
Data analytics has proven to be a sticking point for utilities in their quest for modernization. However, once cybersecurity issues are addressed and utilities embrace the power of real-time data analytics, critical infrastructure will become more reliable and resilient. Ultimately, this will be what keeps the lights on and the water flowing.
