Preventing hackers in critical utilities

~ To ensure the integrity of vital systems, the key is security at the hardware level ~

Earlier this year, an unknown hacker gained access to the water system of a city in Florida. Once in, they attempted to increase the levels of sodium hydroxide in the system from the standard 100 parts-per-million (ppm) to over 11,000ppm, which would pose a significant health risk to anyone consuming the tainted water. Here, Andy Conway, sales manager at essential infrastructure networking expert Recab UK explains what can be done to guard against similar attacks in the future.

Thankfully, the security breach in Florida was spotted and rectified immediately by a plant worker. However, others might not be so lucky. Quite apart from the obvious risk to the public when hackers target critical applications, the cost to businesses can be steep. According to a study by the Ponemon institute, organisations can spend up to £2.9m per incident. For providers of essential services such as electricity, a cyber-attack on operational technology could also run the risk of halting service, which can lead to even more steep costs from regulators.

While large-scale attacks such as the incident in Florida or the recent breaches by hacker group cl0p against multinational firms are thankfully rare, the cyber threat in general is high. In the US alone, there were still over 1000 incidences of data breach in 2020, affecting 155.8 million individuals.

Inherent vulnerability

According to research by Juniper Research, the number of Internet of Things (IoT) devices will reach 46 billion in 2021, a 200 per cent increase compared to 2016. While not all of these are used in industrial applications, around 35 per cent of all manufacturing uses information from connected devices in the manufacturing process, with energy and utilities companies making similar use of connectivity.

The level of IoT adoption leaves a lot of potentially vulnerable devices being used in critical applications. This is something that utilities executives are acutely aware of, with roughly one in four pointing to their devices as the most vulnerable part of their IoT deployments in an IBM study

While remote access to critical infrastructure is an incredibly useful tool for infrastructure operators, the price for that utility is an inherent risk of infiltration by bad actors. The incident in Florida demonstrated that remote access can be leveraged by hackers, to potentially harmful effect. The unfortunate reality is that the only way to absolutely ensure that any remote cyber-attack is impossible is to isolate that system from the internet, with all the commensurate downsides that entails. In almost every situation, the added security risk is deemed acceptable given the huge benefits that automation and connected plant technologies offer.

The solution is the hardware

Thankfully, there are steps that can be taken at the hardware level to help guard against cyber-attack. Secure routers like the MRX series from Recab UK’s partner INSYS icom come with comprehensive IT security specifically designed to stop attacks like the Florida water hack from being possible. Implementing security measures at the hardware level gives an extra layer of protection against cyber-attack, stopping potential intruders before they can access critical-level systems.

The hardware-level security features can also have additional operational benefits. INSYS icom’s MRX industrial routers use an open virtual private network (OpenVPN) with encrypted data packets, which makes it more difficult for hackers to intercept.

The use of an OpenVPN also means that wireless routers like the MRX LTE can have a static IP, rather than a dynamic one typical of 4G/LTE connections. From Recab UK’s experience supporting projects across the UK, this makes remote access and integration with other industrial systems easier.

The INSYS icom MRX series also features a modular design using a plug-in card system (MRcards). These cards allow operators to extend the functionality of the base router, effectively assembling a custom router for each individual application. This also futureproofs the router, as older plug-in cards can be swapped out as needed.

The reality for utilities and infrastructure operators — and indeed, any business — is that cyber-attacks are a persistent threat. They may not all be on the scale of the Florida water incident, but networks should be prepared and secured in any case. Considering security at the network hardware level is an important step to minimising risk and avoiding the substantial consequences of a utilities hack, both now and in the future.

Automation Update