Utility companies manage sensitive customer data such as paying methods, addresses, and phone numbers. More utility companies are adopting smart technology, to manage operations and customer relations. For instance, most utility companies now accept credit card payments, which means they need to comply with the Payment Card Industry Data Security Standard (PCI-DSS).
Attacks on energy and water systems are on the rise. In March 2019, for example, hackers carried on an attack on U.S power utilities. Sometimes hackers attack to disrupt a system, for political reasons or to gain recognition. Utility companies can also experience data loss due to outage (intentional or accidental). Most of the time, the main motive behind an attack is financial gain. Cyber criminals steal sensitive data to sell it on the dark web.
This post provides an overview of the risks faced by utility companies and best practices to prevent data loss.
Why Utility Companies are Vulnerable to Data Breaches
The utility industry is becoming an easy target for attackers. 70% out of surveyed utility companies reported a security breach in the past 12 months, according to a study by Ponemon Institute. Utility companies have intrinsic characteristics that make them particularly vulnerable to data breaches. Below, you’ll find a review of some of the security risks utility companies face.
Most companies use Supervisory Control and Data Acquisition (SCADA) networks to control their processes. This type of control system uses graphical user interfaces for supervisory management. SCADA networks are common targets of malware, ransomware and viruses. Usually attackers target the infrastructure supporting the SCADA network.
An extensive employee network
Attackers need to know the targeted system. They usually use surveillance, probing, and reconnaissance to assess the target. Criminal groups often use social engineering and insider threats to gain the intel needed to access to the system.
Utility companies usually have thousands of workers in varied roles and capacities. Criminals trick employees with inside knowledge into aiding in an attack. This inside help can be intentional or unintentional. Privileged users are the most common targets for attackers since they often have legitimate access to sensitive data and critical systems. For example, an employee who has access to grid infrastructure.
A broad consumer base
Clients of utility companies can be subject to phishing scams. Criminals usually trick them to submit payment details. Attackers can also lure customers to click on malicious links and infect the utility network.
The most common threats for the industry are malware and phishing scams.
Mobile malware is one of the ways attackers can gain access to the device data. Attackers often target mobile devices in the utility companies’ customer base, using the devices as a foothold to enter the network. According to a study by consulting firm Wandera, 2% of a sample of 100,000 customer devices had malware downloaded.
In 2019, the same firm detected a malware called RedDrop, which infected the phones of high-level corporate employees of a utility company. These apps exfiltrated sensitive data from the phones, harvested as means to launching future attacks. This kind of attack can cause massive data loss and data breach incidents.
The biggest threat to utility companies is phishing. A research study shows that a new phishing site is created every 20 seconds. Most utility companies now have mobile apps to help customers carry daily operations. Attackers take advantage of the small size of the screens to hide malicious URLs, tricking users to click on it. As such, mobile users are more likely to fall for a phishing attack than desktop users.
Consequences of a Data Breach for Utility Companies
Attackers targeting utility companies can gain access to thousands of records with ease while disrupting services. These types of data breaches can produce damages at an estimate of $7.4 million per incident, according to the IBM Data Breach Calculator.
Utility firms, and especially energy firms are at risk of losing unstructured data, such as proprietary technology and exploration plans. That’s why it is critical to follow security practices and implement a data loss prevention strategy. The term Data Loss Prevention (DLP) refers to a set of processes and software that protects and prevents the misuse or loss of sensitive data.
Utility companies suffering a data breach also have to face hefty fines from regulatory bodies, such as GDPR or PCI-DSS. In addition, they have to face the cost of reparations and restoring of payment services. These companies usually have no local competitors so the risk of business loss is not as high as in other industries.
Best Practices to Prevent Data Loss
Utility companies should use a mix of policies, tools, and processes to protect their data. A multi-layered approach is a good practice to prevent attacks.
Install the right tools
Keeping the data secure requires the right mix of tools. Monitoring and threat detection tools, as well as traditional barrier measures, such as firewalls, can help you protect such distributed data. For instance, companies can prevent an attack via mobile devices using an Endpoint Management solution. When the company needs to protect unstructured data, a Data Loss Prevention software can help. DLPs monitor and detect the movement of sensitive data, even blocking the data movement when needed.
Strengthen internal policies
Utility companies should have detailed and regularly updated security policies. For example, the company should regulate the sharing of data between departments on a need-to-know basis.
Most companies use third-party technology providers to manage their network and systems.This can present its own risks since the third-party vendor could not follow the same security standards. It is a good practice to choose a third party vendor which adheres to the company’s security policies.
Comply with data protection regulations
Utility companies should adhere to data protection regulations. For example, the General Data Protection Regulations (GDPR) in Europe sets the guidelines to protect personal data. Energy and Water companies should also comply with ISO standards and regulations to protect credit card data. Doing so can also prevent the hefty fines that usually accompany a data breach.
Use role-based access control
Insider threats are one of the biggest risks utility companies face. Companies should keep permissions under the least-privilege rule, ensuring the employee has access only to the minimum data needed to perform its job. Role-based access controls prevent unauthorized users to access sensitive data. These practices can prevent malicious users from moving laterally in the system.
The cost of a data breach for a utility company goes beyond the actual dollars spent on recovery or the fines they can get. It can involve the loss of thousands of customer’s data or proprietary information. Energy and utility companies can minimize the potential of a data breach by strengthening their security posture and using the right tools.