The rise of ransomware and malicious cyberattacks in the past decade has driven the criticality for all businesses to expand their cyber programs to provide better, layered defenses. According to a 2024 cyber threat report by SonicWall, ransomware attacks saw a 105% increase worldwide in 2023 — and there is no sign of slowing down. As attack vectors continuously evolve in complexity and quantity, utilities’ defenses must do the same.
Ransomware attacks on utilities have increased by 50% in the last two years, according to NextGov.com. Bad actors recognize energy is a core business product, and without it, people’s lives are greatly impacted. As critical infrastructure with a target on them, utilities know every network, application and device must be configured with cybersecurity in mind.
In today’s tech-savvy workplace, the challenge lies in balancing new capabilities that improve productivity (for example, data sharing, interconnected systems and cloud computing) with mitigating the risks associated with those activities. To meet the modern demand, many organizations, including Unitil Corp., have adopted a defense-in-depth security program.Defense-in-depth security combines technology components with best practice security management to create protective layers that reduce the risk of attacks and intrusions. There is an expansive amount of detail and effort that goes into a strong defense-in-depth strategy, but these efforts can be distilled into four main components: technology, people, monitoring and response, and program management for continuous improvement.
Technology Backbone
Strong technology is the backbone of a solid defense-in-depth strategy. Cybersecurity software and systems are built around protecting a utility’s critical assets: financial systems, operation systems, proprietary assets and confidential data, among others. A defense-in-depth strategy layers those protections on top of one another. Think of it like locking all the doors in your house; even if the bad guys get in, they will be trapped in the mudroom without a key into any other room in the house.
The layered protections safeguarding an organization’s critical assets can be broken down into five categories:
1. Perimeter protections
2. Network protections
3. Endpoint protections
4. Application protections
5. Data protections.
An immense amount of thought and intricacy goes into each of these layers, and organizations should ensure they are putting ample consideration into bolstering defenses and mitigating risk in each category.
The goal is to prevent an attack from happening, but if malicious activity does sneak through a utility’s defenses, layered protections and network segmentation help to ensure any impact is limited to the smallest element possible. As the core of any cybersecurity program, strong technology is a necessary investment.
The Human Aspect
Humans are and perhaps always will be the easiest attack vector for cybercriminals. In fact, human error is the main cause of 95% of security breaches. But, there is hope for the future; although employees often have seen cybersecurity as a hindrance to their job productivity, that mindset is shifting as cyberattacks become the subject of more headlines. With increased efforts to combat cyber threats, a wider spectrum of employees has developed a greater understanding of the fundamentals of cybersecurity. While some would have been more likely to resist such efforts five years ago, more employees now recognize they play a role in the success of their company’s cybersecurity program.
Organizations need to foster cultures where cybersecurity is at the forefront of daily operations. That means cultivating employee cyber knowledge and then testing that knowledge with drills. Beneficial strategies include cybersecurity awareness training, simulated phishes, and additional training and resources for high-risk employees.
For example, Unitil has implemented a rigorous training program that regularly tests the ability of its employees to spot potential cybercrimes like phishing, which has become one of the most popular forms of attack and typically involves employees receiving emails or text messages with malware embedded in the message. Employees can be tricked into sharing credentials that could allow a hacker to invade the utility’s system. Therefore, as part of its monthly exercises, the utility uses mock phishing attempts to try to catch an unsuspecting employee off guard with the overall goal of ensuring they know what to look for to prevent an attack.
For high-risk employees, it is important to focus on education rather than punishment. Sometimes, however, intervention and restricted access are needed to alleviate risk.
Additionally, a strong cybersecurity culture needs executive buy-in from the top down to solidify security as core to the business and encourage participation in preventing and reporting attacks.
Monitoring And Response
Cyber criminals do not sleep, so it is critical businesses have the ability to monitor their systems 24/7 to identify vulnerabilities, emerging attack vectors and areas for improvement.
Security operations centers (SOCs) can provide constant threat monitoring for organizations. Whether external or in-house, SOCs ingest everything from firewall data to endpoint data, combining advanced analytics and threat intelligence for immediate identification of suspicious activity along with the ability to take immediate actions. If the SOC sees malicious activity that has snuck through layers of defenses and started to proliferate, it can react and isolate the threat. SOCs also can craft vulnerability assessments and risk scores that provide organizations with situational awareness regarding their threat landscape.
If all else fails, utilities should be prepared to respond and isolate any damage to restore systems in an expeditious and organized fashion. Unitil has a Cyber Incident Response Plan it reviews and runs drills on every year with the help of external assistance, its cyber insurance vendor, and other internal stakeholders to ensure readiness. It is important to have additional resources available that could be called on to expand the response in the event of a cyber incident. The utility has even participated in drills with the National Guard and other utilities, which have additional trained cyber experts that can assist if needed.
New threats will always be lurking within or on the perimeter of a utility’s systems, so constant monitoring, threat intelligence gathering and response activities are a necessary part of daily operations.
Continuous Improvement
A good cybersecurity program is built on a foundation of continuous improvement — and that perpetual fine-tuning needs to be self-aware, strategic and built into the organization in order to be worthwhile. By constantly evaluating every aspect of processes and policies, organizations can identify opportunities for refinement and ensure they are doing what they set out to do.
There are several ways to accomplish this review. Utilities can leverage an external expert to assess their cybersecurity programs against industry benchmarks and identify areas of improvement or gap reports. From there, organizations can develop action plans to address these gaps on a prioritized basis. Penetration testing and simulated red-team cyber drills also present opportunities for improvement.
Businesses also can implement means to self-audit their cyber programs. Assessing company practices is critical, which is why Unitil has an external assessment performed annually to determine the effectiveness of its cybersecurity measures. The assessments force utilities to continuously work to strengthen their layers of protection.
Unitil has adopted the Center for Internet Security’s (CIS’s) compliance model, which is essentially an audit model that assesses how it is performing on a broad range of security controls. By providing evidence on its quality of execution, it achieves a higher level of assurance that is adhering to its cybersecurity requirements and goals. With cyberattacks against utilities a constant threat, Unitil envisions a day in the future when cyber programs at all utilities are audited by an external entity, much like audits for accounting and other business practices, to ensure protections are followed.
In its effort to raise awareness, CISA has launched the Shields Up campaign, which provides a comprehensive cybersecurity business practice guide. While companies may not meet 100% of the recommendations outlined, the guidance is a helpful self-assessment tool to pinpoint areas where improvements can be made to enhance online security.
CISA also encourages companies and others to voluntarily share information about cybersecurity threats to critical infrastructure. The reporting of any cyber-related incident can prompt warnings that may protect other companies from an attack.
Most companies cannot deploy every protection or security measure available, so consideration should be given to balancing a company’s risk tolerance and operational needs — creating a best-fit cyber protection plan.
The Bottom Line
A defense-in-depth cybersecurity program is about fortifying protection and driving improvement from every angle and at every level. Through an emphasis on systems, people, monitoring and policy assessment, a secure cybersecurity program safeguards an organization’s critical assets without overly burdening its productivity.
It is likely more sectors will be audited for their cyber programs in the near future, so utilities that have not already done so should prioritize a cyber program that will keep critical business operations running and ensure data is protected.
