By Michael Praats | May 17, 2021 at 12:36 PM EDT – Updated May 17 at 3:30 PM
WILMINGTON, N.C. (WECT) – The recent cyberattack on the Colonial Pipeline has shown just how quickly things many people take for granted, like being able to drive to the gas station at any time and fuel up can disappear.
While the attack only targeted one company, there are all sorts of critical infrastructure that could suffer from similar attacks, including water and other energy corporations.
So how can these attacks be prevented in the future, and what are companies doing to stay up to date with the latest groups determined to hurt our critical infrastructure?
In New Hanover County, the Cape Fear Public Utility Authority is the main water provider for the county as well as some of the municipalities, so it takes security seriously.
“Over the last several years, CFPUA has strengthened our cybersecurity posture by working extensively with federal and water sector partners, including the U.S. Department of Homeland Security, the FBI, and other agencies. We’ve also incorporated standards and other guidance published by water industry associations,” CFPUA Director of Communications Vaughn Hagerty said.
There are all sorts of attacks that can target infrastructure, for example, the Colonial Pipeline attack was a ransomware attack that requires a sum of money to be paid to the malicious group, or risk losing control of their information. Other attacks simply go after customer information, and some can even be people hacking for the thrill of it.
“Cyberattacks have long been recognized as a threat to the water sector, and it’s something we think about every day. We have experienced attempts at phishing, ransomware, and theft of credentials in efforts to gain access to our system. Typically, the threats can be classified in three groups: mischief-makers, criminal gangs, and foreign state actors,” Hagerty said.
It’s also not unheard of in Southeastern N.C.
Security & Emergency Manager Eric Hatcher for CFPUA said the utility provider has been working for years to stay up to date on the latest threats and provided some insight into how the authority would deal with a problem. The good news is that even if there were a cyber-attack, utilities like CFPUA do have the ability to maintain operations through manual systems.
“A lot of folks overlook that, they get so reliant on technology and say ‘look at this we can push a button and open this valve’ … And then over time you forget how to do that so we actually developed plans for all of our critical infrastructure, from pump stations to water plants, drinking water plants, well sites — those things can all be run manually,” Hatcher said.
While CFPUA has made the improvements needed to its infrastructure, Mike McGill, President of Water PIO. says that isn’t the case for all utilities.
“Most utilities across the country don’t have the funding or the staff to adequately meet the challenges that are ahead and that is a frustration in our industry right now,” he said.
Staff and money – those are the two things McGill says need to be improved if utilities want to be ready for the advances in technology and ever-evolving threats. So what types of infrastructure improvements can be made?
“What we see nowadays is too many utilities have patchwork systems where there are several vulnerabilities that need to be addressed, fortunately here you had CFPUA that addressed that issue,” McGill said.
The improvement to infrastructure is one of the biggest things utilities can do to better protect themselves against any sort of threat – but again – these improvements cost money and ratepayers are typically not happy about rate increases.
“There’s a wide variety of ways that utilities can be attacked if were not careful, if we don’t address these issues if we don’t stop bandaging our infrastructure, and start replacing it repairing it like we should,” McGill said.
When it comes to critical infrastructure, power is one of the most indispensable. It powers everything from lights in your home to life support systems at hospitals, which is why Duke Energy takes protecting the grid seriously.
“As an electric utility and critical infrastructure we are a target and that is something that we are aware of and plan for every day,” Jeff Brooks, Duke Energy spokesman said. “And we have multiple layers of security in place both physical and cyber to protect the infrastructure of the electric grid.”
As is the way of the world, as time moves on technology and other improvements are made in all aspects of life. For Duke Energy customers, you might have already had a ‘smart meter’ installed on your home. This device allows for remote communications and more advanced features – it also provides a new possible threat.
“As we’ve made our grid more intelligent, as we add more smart technologies we have to also add the protections to keep those both communications pathways and control pathways, all of the information that flows back and forth across the grid, we have to make sure that’s secure as well,” Brooks said.
For all critical infrastructure, working with the government including departments like the FBI or Homeland Security is a crucial component to keeping utilities safe. Information sharing was something everyone mentioned as a best practice because as technology continues to progress, attacks will also come in new forms so learning from others who have experienced these sorts of attacks can help prepare others.
Copyright 2021 WECT. All rights reserved.