A Wall Street Journal article discusses a new set of attacks on electrical distribution providers. These attacks have targeted providers too small to be NERC regulated but may serve a critical infrastructure such as dams or military bases. All but one of the entities that were named in the article says the phishing e-mails were blocked by malicious content filters and were never an issue for them. However, one facility chose not to comment.
The point is hackers aren’t necessarily biased based upon organizational size. They don’t always target large utility infrastructures. Cybercriminals often target smaller, sometimes less protected utilities supporting critical infrastructure. If they can attack one of these facilities and shut down the power, it could result in catastrophic events and loss of life.
Unfortunately, some entities can believe they’re too small to be hacked. The truth is, state-sponsored hackers don’t care how big you are. They care about the damage they can cause.
What can be done to protect these small non-NERC registered entities? Below is a list of six cybersecurity best practices that can be put in place to stop many potential attacks.
1. Physically secure important systems.
You can never be cyber secure unless you are physically secure. Make sure that servers and control systems are behind locked, monitored doors. Also, make sure the people in the building belong there and visitors are not allowed to roam around by themselves.
2. Complete a risk assessment.
Perform a risk assessment of the facility, employees and vendors. This will help you to understand those risks that could negatively impact your organization. Once you know and understand the risks you face, you can then determine ways to avoid or mitigate them.
3. Separate the IT network from the OT network.
It should not be possible for anyone on the control network to receive e-mails or access the internet. No control network or SCADA system should ever be connected to the Internet.
4. Educate employees.
Train your employees on how to recognize a Phishing or otherwise suspicious e-mail. Teach them to not even open an e-mail they think may be malicious.
5. Utilize outside resources.
Have an outside contractor perform cyber vulnerability assessments or penetration tests on both your IT and OT networks. These will highlight systems that may need to be updated or protected in different ways. An outside contractor is recommended. Your internal IT people likely know where all the problems are and will avoid them to potentially look better. Think of it as grading your own final exam for a class, most people will end up with an A.
6. Keep Microsoft Windows updated.
Load Microsoft Windows updates as soon as possible when they are released. Many attacks that have happened in the past could have been avoided if people had loaded patches that were released months or years before the attack happened.
These steps will not stop all attacks, such as an attack by a “trusted” employee, but they will reduce the risks. It’s better to be proactive than reactive.