Responsible for the nation’s supply of water, gas and electricity, the utilities sector is a fundamental part of our critical national infrastructure. The importance of utilities to the day-to-day running of the country cannot be overstated, so what happens when critical national infrastructure comes under threat of a ransomware attack?
The recent cyber attack on the US’s Colonial Pipeline gave us a glimpse of the potential consequences. The pipeline, which carries 2.5 million barrels of fuel a day, was forced offline in May by hackers demanding a ransom. After paying the £3.1 million ransom, the pipeline was able to resume operations the following week. Although the Justice Department was able to seize millions in cryptocurrency that was paid in ransom to the hackers, the downtime caused by the attack led to huge disruption and petrol shortages in major US states.
The more that utilities companies, fuel suppliers, healthcare, emergency services, traffic management systems – and other organisations that are essential for the daily functioning of our economy – rely on data, the greater the impact that hackers can have by interfering with it. And the more impact that a hacker can have, the more likely their victims are to pay to get their systems back online. This has driven the explosion in ransomware that we’ve seen over recent months.
Recent research from Veritas found that over half (53%) of UK utilities companies experienced a cyber attack in the last year. As Colonial Pipeline – and, more recently, JBS – found out, eventually one of these attacks will succeed. So how can companies protect themselves from attack, for the sake of their own business as well as the customers they serve?
The fight for your data: mitigating ransomware and insider threats
The chink in the armour
The highly regulated nature of the utilities industry means adopting new technologies isn’t easy, and as a result, 88% of IT leaders admit the energy sector hasn’t traditionally embraced cloud technology. Despite this, 48% of the industry’s data is stored or managed in the public cloud, and this figure is expected to rise to 60% in the next five years. Further still, 40% of utilities organisations now consider moving more data and applications to the cloud a top business priority.
Although the utilities sector is typically resilient to unexpected macro changes, current market conditions have forced every industry to drastically accelerate digital transformation plans. The utilities sector is no exception, which perhaps indicates the sudden shift to the cloud. As a result of this rapid transformation, however, 55% of utilities companies admit that their security measures haven’t kept up with the complexity of their IT infrastructure, meaning they have less visibility and control of their data than ever before. This ‘chink in the armour’ could be their downfall when an attacker strikes.
So, it comes as no surprise that there are lingering concerns around cloud security for two-thirds (67%) of utilities companies. Other apprehensions around cloud adoption include reduced data visibility (59%) or risk of downtime (55%). These are valid concerns given that two-thirds (64%) of utilities sector companies admit that their organisation’s approach to dealing with cyber attacks could be improved, while increasing resiliency to ransomware and data governance are among their top three priorities.
Concerns around the additional burden of managing and securing cloud environments can prevent utilities companies from embracing them. But modern data management and protection platforms can extend their capabilities from the data centre into cloud environments with a single solution. This means that utilities firms can realise the benefits of transformational projects without putting themselves at additional risk, or shouldering the work associated with managing another protection solution.
But businesses must realise that the onus really is on them, not their cloud provider, when it comes to protecting that data. Alarmingly, 88% of utilities companies leave the responsibility of backing up cloud-based workloads with their cloud provider and are, therefore, potentially leaving their business-critical data vulnerable and exposed to cyber criminals. While most are fully aware of just how essential backups are to their business, many still fail to understand where their cloud provider’s responsibility ends and where theirs begins. Most cloud providers operate Shared Responsibility Models, whereby their customers are responsible for the protection and security of their own data.
How to mitigate the impacts of an IT outage
The secret weapon
As businesses continue to move their data to the cloud, visibility into what data they have, its value, where it needs to sit, who should access it and how long it needs to be held for, is vital. Yet, only a quarter (24%) of companies have full visibility of the unstructured data they have. If you don’t know what data you have, how can you protect it?
This doesn’t have to be an arduous task either. Currently, two-thirds (69%) of utilities companies use multiple vendors to help them protect their data across their entire infrastructure. This can often lead to a melting pot of different tools and solutions which don’t always complement each other and can, ultimately, become more of a hinderance than a help. But by using a single data protection solution that manages data across their entire IT estate, utilities firms can gain a full view of their data without the cost or burden of managing multiple solutions.
With this visibility comes the opportunity to build a robust and automated backup plan that includes optimising business continuity and disaster recovery processes to protect and encrypt mission-critical data. Isolating and encrypting backups, holding multiple copies, and frequent testing for vulnerabilities will help businesses build resiliency against attackers.
Unfortunately, organisations that form a fundamental part of a country’s national critical infrastructure will continue being targeted by cyber criminals. It’s not because they have a traditionally soft security posture or are particularly cash-rich, but because cyber criminals know that if their attacks halt essential services, organisations will have less time to make a decision and will be more willing to pay the ransom. The stakes of a successful attack are much higher, so the chances of a victim paying up are so much greater.
Despite their best efforts, most companies will fail to stop at least one cyber attack over the course of their lifetime. And when businesses do suffer a breach, data responsibility will be the foundation of their ransomware defence, while encrypted backups will be their secret weapon. As ransomware attacks continue to evolve in frequency and sophistication, businesses must evolve their strategies in response because, while they may win one battle, there’s a whole lot more to come in the war on ransomware.