Delta Airlines recently experienced what it called a power outage in its home base of Atlanta that crashed the company’s systems and grounded all Delta planes globally for six hours, stranding passengers for even longer (in some cases, days) as Delta scrambled to reshuffle planes and crew after the Monday debacle.
Where Delta blamed its catastrophic failure vaguely on a loss of power, Georgia Power, their power provider, placed the ball squarely in Delta’s court, saying that “other Georgia Power customers were not affected”, and that they had staff on site to assist Delta.
Whether it was a true power outage, or an outage unique to Delta, it wreaked significant havoc. This incident begs the question – what would happen if the power went out on a large-scale?
The United States suffers more blackouts than any other developed country in the world, thanks to aged power grids and infrastructure. Even more disturbing than an inconvenient power outage that would ultimately be resolved is the threat of a power outage caused by a cybersecurity attack.
Aging Grid, Unsecure Network, Lax Security
“Although a lack of employee education is a main issue with threats to this sector, CNN revealed that many industrial systems in the U.S. are still operating on outdated technology – some of which dates back to the 1970s. In this way, the systems simply aren’t sophisticated enough to stand up to today’s hacking techniques. Overall, better protection boils down to the need for updated technology and staff training. As the energy sector and other critical utility providers upgrade their systems, they must ensure that employees have the knowledge and ability to respond to threats and mitigate the damage of cybercriminal activities.”
Tech Insider recently published a video on YouTube that reveals just how easy it is to hack into the US power grid.
“A power company in the Midwest hired a group of white hat hackers known as RedTeam Security to test its defenses. We followed them around for 3 days, as they attempted to break into buildings and hack into its network, with the goal of gaining full access. And it was all much easier than you might think. Based on our experiences, it would seem that power companies need to step up their game in the fight against cyber attackers or it could be ‘lights out.’”
It’s terrifying to think that hackers could gain control of the nation’s most basic services like electricity and water. Unfortunately, the threat is real as attacks on physical infrastructure as well as computer networks have increased within the utility sector, and will most likely continue to rise. Ponemon Institute and Unisys’ recent report shows that there is a considerable protection gap in this sector.
“The report, which included nearly 600 respondents operating in the utility, oil and gas, energy and manufacturing industries in 13 countries, shows that the vast majority have already dealt with an attack. Overall, 67% of participants said that within the past year, they’ve had “at least one security compromise that led to the loss of confidential information or disruption to operations. Furthermore, although the report revealed that more than half – 64% – of organizations want to work toward attack prevention or anticipation, only 28% noted that security is within the firm’s top five priorities.”
Valuable Customer Data a Prime Target
A utility’s infrastructure isn’t the only target for hackers. Utilities have upgraded technologies such as meters, thermostats, and even payment methods that increase convenience, efficiency, and customer satisfaction. But thanks to smart technology and faster ways to pay, utilities are now gathering more customer data than ever before, making their internal systems and networks a prime target.
According to the Identity Theft Resource Center (ITRC), as of August 17th, there were 601 data breaches with over 21 million records exposed. And a whopping 27% of the records exposed were in the government/military sector – second only to healthcare at 59%.
The North American Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) standards now have multiple requirements around cyber security, with more on the way. Beyond that, any utility that accepts credit cards from its customers must comply with the Payment Card Industry Data Security Standard (PCI DSS) for protecting customer credit card data and other personal information.
Experts within the utility space have offered up industry-best cybersecurity practices, with adhering to PCI DSS industry standards at the top of their list. The best practice to ensure protection from malware while operating within the PCI DSS standards for utilities, or any company accepting credit card payments, is PCI-validated Point-to-Point Encryption (P2PE). PCI-validated P2PE prevents clear-text card data from entering the POS – where it could be accessible to hackers in the event of a data breach – while reducing PCI scope.
Bluefin partner Accela will host their annual Engage conference next week in Los Angeles, which brings together over 1,000 government organizations, utilities, companies and business partners for a week of training and education on topics such as cybersecurity. Bluefin is pleased to be presenting on the benefits of a holistic payments security approach for utilities utilizing EMV, tokenization and P2PE – a simple step that utilities can take to protect their customer’s valuable data.