Utility Cybersecurity in the Cloud: A Discussion on Best Practices
Worldwide, the value of the public cloud services market is estimated at almost $260 billion and it’s growing. With the onset of the COVID-19 pandemic, work habits—and work locations—have changed for many, heightening the already strong interest in robust security for cloud-based systems. While many industries—finance, medicine, and more—already are firmly in the cloud, many utilities are still taking initial steps and looking for guidance. With interconnectivity comes more issues though, first and foremost in enhancing utility cybersecurity measures to minimize the risk from any and all potential incursions.
Since joining our team, security developer Graham Park has remained involved in cybersecurity issues for years. Park has since assumed a leadership role in developing security and software solutions for our clients designed to gird utility cybersecurity and cloud-based against infiltration.
What is the biggest utility cybersecurity risk for cloud-based systems?
Misconfiguration—by a long shot—is the biggest danger for those using cloud-based platforms. Cloud providers offer a rich assortment of the latest security tools and best-practice protocols to lean on as users deploy and manage all sorts of utility applications. However, it’s critical for anyone migrating to or operating in, the cloud to take the time needed to set up these systems correctly and securely.
There are far too many cautionary tales out there. In one case, sensitive medical records (lab test results, patient files) for 150,000 Americans had been stored on an unsecured cloud. In another case, back in 2017, personal information—about 1.1 terabytes worth—for almost 200 million registered U.S. voters was accidentally exposed online for two days due to an improperly configured security setting. In both of these cases, fixing the configuration was fairly simple, but it just wasn’t done. So to anyone considering moving to or operating in the cloud, make sure to keep up-to-date with utility cybersecurity best practices and keep them in mind as you build your applications. When done correctly, operating within the cloud can remove or streamline a lot of the work required to deploy a secure application.
How do you know utility customer data won’t get hacked? What can we do to protect critical infrastructure?
No security system, whether it’s in the cloud or hosted in your own data center, is 100 percent immune from compromise. Regardless of how mature your cloud security is, it’s best to always think of it as a work in progress. That’s because new threat actors emerge, testing out new tricks, and we have to be ready. The best protection is to constantly sharpen security systems and continually educate employees.
Here are some concrete steps to take:
- Follow industry best practices. There’s a lot to be learned from the shared experiences of the security community.
- Catch mistakes before they’re exploited. Hire penetration testing teams to regularly flag issues with your applications, and set up automated scanning of your code and infrastructure to detect common security mistakes before they become a problem.
- Invest in detection. Some reports suggest that 200 days is the average time it takes to detect a data breach. A lot of damage can be done in more than half a year, so the faster you detect and respond to an attack, the more likely it is you’ll be able to prevent or limit serious damage.
- Create a culture focused on security. As the old saying goes, the strongest lock doesn’t matter if someone hands over the keys. At Virtual Peaker, we’ve found that short training sessions every month work best. They’re brief enough to engage employees yet happen often enough to ensure that security is always top of mind. Because phishing is consistently ranked as the top reason for security breaches, it’s critical that security training includes phishing simulations so team members don’t get fooled.
Of course, utility cybersecurity starts—or ends—at the highest levels of every organization, so it’s critical for leaders to stress the importance of remaining vigilant and focused.
The pandemic has shifted work habits and social distancing/working from home is the new normal for many. How can utility employees work remotely and safely?
The cloud doesn’t care whether your access point is the office or a spare bedroom at home—the same best practices for utility cybersecurity listed above still apply. Make sure to always lock your devices when you walk away and never leave them unattended in public. Only connect using your company VPN if you have one.
Think before you click, regardless of your location. Phishing scams are on the rise during the pandemic, so if something seems a little off delete it or first confirm with your security department that it’s okay to proceed. In the pre-pandemic world, if you received a suspicious email claiming to be from a colleague, you could walk down the hall to make sure. When working from home, reach out through a different communication channel —Slack, text, voice, etc.— to make sure the communication is legit before opening it.
It’s also important to take steps so you don’t inadvertently disclose company information. Make sure to dispose of all confidential documents securely, and to think about who might be within earshot before discussing confidential business information over the phone or who might be able to look over your shoulder and watch you enter passwords or pull up confidential data. And of course, it’s critical to use strong passwords and multi-factor authentication.
What should service providers look for to make sure vendors are legitimate when it comes to utility cybersecurity?
I think a lot of the things we’ve talked about can be applied when considering vendors. The same focus on utility cybersecurity within your organization should be visible in all of your vendors as well. It’s necessary to hold them to a high-security bar because (depending on the vendor) they may be handling your sensitive data or business-critical functionalities. Some questions to consider as you evaluate vendors:
- Are they following industry best practices?
- Are they investing heavily and frequently in security?
- Do they use third-party assessments including penetration tests and audits to protect the information in the cloud?
Good luck, and please don’t hesitate to contact us with any questions or concerns.