Puerto Rico’s power utility recently was hacked, serving as a reminder that entities that run critical infrastructure across the United States and globally are not prepared to defend against cyberattacks.
Puerto Rico Electric Power Authority (PREPA)’s customer-service system wasn’t affected and customer data was not at risk. The cybercriminals responsible have yet to be identified.
The attack came just after President Trump blamed Russia for targeting the U.S. power grid.
So what makes critical-infrastructure organizations so vulnerable to cyberattacks? We asked Craig Hinkley, CEO of WhiteHat Security. His company’s research shows: on average, utility companies have 2.2 critical cybersecurity vulnerabilities per site; 64 percent of applications in the utility sector remain vulnerable on a daily basis; and 81 percent of hacking-related breaches in the United States leverage weak or stolen passwords.
“Most of us grew up in a world where we didn’t think about the fact that these critical infrastructures – power and utility grids, gas service lines – now in essence are online,” he said. “And the same way we read about companies being hacked and breached, I don’t think people have made the leap to that same hackable breach now occurring with the power utilities, gas utilities, etc., or the intelligent transport systems around the world.”
The age and long-term life cycle of critical infrastructure add to its vulnerability, Hinkley said.
“You could be being serviced by a power plant that was built 20-30 years ago, so the technology around that power plant was very basic, was very analog,” he said. “So now folks have tried to modernize and digitize them, so in essence they’re sticking internet network adapters … Internet of Things (IoT) converter boxes to help take these plants from analog to digital, to internet-native, and in doing so these systems weren’t built to be exposed to the internet and therefore a lot of what would be built into companies today, from controls and protection mechanisms, didn’t exist back then.”
For some time, U.S. security officials have been warning that the country’s energy and utility infrastructure is vulnerable to cyberattacks, and application security is now a mandatory requirement for critical infrastructure protection (CIP), Hinkley said.
“So part of what companies can do, if they have not, is they should have a standard security vulnerability assessment process in place that goes across their entire environment,” he said. “That should be providing continuous scanning and verification of security vulnerabilities. The companies need to be continuously looking for points of entry into the critical infrastructure because every time they do a release of a new application, a release of a new operating system or upgrade any of the infrastructure that then faces the internet, they need to be continuously scanning that environment to make sure no new security vulnerabilities were also introduced.”
Critical infrastructure presents a big opportunity for the channel, as one of the biggest challenges in the security market today is …