What safeguards are in place to protect critical infrastructure from cyberattacks?

Updated: May. 17, 2021 at 12:36 PM EDT
Email This Link
Share on Pinterest
Share on LinkedIn

WILMINGTON, N.C. (WECT) - The recent cyberattack on the Colonial Pipeline has shown just how quickly things many people take for granted, like being able to drive to the gas station at any time and fuel up, can disappear.

While the attack only targeted one company, there are all sorts of critical infrastructure that could suffer from similar attacks, including water and other energy corporations.

So how can these attacks be prevented in the future, and what are companies doing to stay up to date with the latest groups determined to hurt our critical infrastructure?

In New Hanover County, the Cape Fear Public Utility Authority is the main water provider for the county as well as some of the municipalities, so it takes security seriously.

“Over the last several years, CFPUA has strengthened our cybersecurity posture by working extensively with federal and water sector partners, including the U.S. Department of Homeland Security, the FBI, and other agencies. We’ve also incorporated standards and other guidance published by water industry associations,” CFPUA Director of Communications Vaughn Hagerty said.

There are all sorts of attacks that can target infrastructure, for example, the Colonial Pipeline attack was a ransomware attack that requires a sum of money to be paid to the malicious group, or risk losing control of sensitive information. Other attacks simply go after customer information, and some can even be people hacking for the thrill of it.

“Cyberattacks have long been recognized as a threat to the water sector, and it’s something we think about every day. We have experienced attempts at phishing, ransomware, and theft of credentials in efforts to gain access to our system. Typically, the threats can be classified in three groups: mischief-makers, criminal gangs, and foreign state actors,” Hagerty said.

It’s also not unheard of in Southeastern N.C.

Just up the road in Jacksonville, a ransomware attack targeted the water utility ONWASA and ended up costing the county hundreds of thousands of dollars to fix. The attack happened in the wake of Hurricane Florence and took months for the utility provider to get back to normal.

Security & Emergency Manager Eric Hatcher for CFPUA said the utility provider has been working for years to stay up to date on the latest threats and provided some insight into how the authority would deal with a problem. The good news is that even if there is a cyber-attack, utilities like CFPUA do have the ability to maintain operations through manual systems.

“A lot of folks overlook that; they get so reliant on technology and say ‘look at this, we can push a button and open this valve’ And then over time you forget how to do that,so we actually developed plans for all of our critical infrastructure, from pump stations to water plants, drinking water plants, well sites — those things can all be run manually,” Hatcher said.

While CFPUA has made the improvements needed to its infrastructure, Mike McGill, President of Water PIO. says that isn’t the case for all utilities.

“Most utilities across the country don’t have the funding or the staff to adequately meet the challenges that are ahead and that is a frustration in our industry right now,” he said.

Staff and money — those are the two things McGill says need to be improved if utilities want to be ready for the advances in technology and ever-evolving threats.

So, what types of infrastructure improvements can be made?

“What we see nowadays is too many utilities have patchwork systems where there are several vulnerabilities that need to be addressed; fortunately, here you had CFPUA that addressed that issue,” McGill said.

The improvement to infrastructure is one of the biggest things utilities can do to better protect themselves against any sort of threat, but these improvements cost money and ratepayers are typically not happy about rate increases.

“There’s a wide variety of ways that utilities can be attacked if we’re not careful, if we don’t address these issues, if we don’t stop bandaging our infrastructure, and start replacing it — repairing it like we should,” McGill said.

When it comes to critical infrastructure, power is one of the most indispensable. It powers everything from lights in your home to life support systems at hospitals, which is why Duke Energy takes protecting the grid seriously.

“As an electric utility and critical infrastructure we are a target and that is something that we are aware of and plan for every day,” Jeff Brooks, Duke Energy spokesman said. “And we have multiple layers of security in place, both physical and cyber, to protect the infrastructure of the electric grid.”

As time moves on, technology and other improvements are made in all aspects of life. For Duke Energy customers, you might have already had a ‘smart meter’ installed on your home. This device allows for remote communications and more advanced features — it also provides a new possible threat.

“As we’ve made our grid more intelligent, as we add more smart technologies, we have to also add the protections to keep those — both communications pathways and control pathways. All of the information that flows back and forth across the grid — we have to make sure that’s secure as well,” Brooks said.

For all critical infrastructure, working with the government, including departments like the FBI or Homeland Security, is a crucial component to keeping utilities safe. Information sharing was something everyone mentioned as a best practice because as technology continues to progress, attacks will also come in new forms so learning from others who have experienced these sorts of attacks can help prepare others.

Copyright 2021 WECT. All rights reserved.