Canadian utility companies need to learn from what’s gone tragically wrong in other countries. From the ammonium nitrate explosion that rocked Beirut in 2020 and the almost 50 earthquakes around the world that registered a magnitude of 6 or more on the Richter scale that year, through to the severe winter storm that knocked out the electrical power grid across Texas early in 2021, it’s clear that things can go very wrong, very quickly, and it’s equally clear that all of these things can and will happen in Canada. Recent events only underscore the immense risks and hardships faced by civilian populations when their utilities are unexpectedly disrupted or fail, and our critical dependency on utilities can never be underestimated.
Primary Threat: Cyber Attacks
Over the past two years, and coinciding with the emergence of COVID-19, the Canadian intelligence community and Government of Canada have stepped up efforts to inform the public on the proliferation of cyber attacks against both the public and private sectors, whether government departments, high-profile corporations, or utility operators.
The worries are well founded. As reported by Morning Consult, security researchers have found that utilities worldwide suffered 1,780 distributed denial-of-service (DDoS) attacks between the period June 15 and August 21, 2020, alone— a staggering 595% year-over-year increase. And there is no reason to think that Canada is any less vulnerable than other nations. Here is just a sample of “Significant Cyber Incidents” affecting utilities worldwide documented by the Center for Strategic and International Studies since the onset of the COVID-19 pandemic:
- March 2021: Polish security services suspected Russian hackers briefly took over Poland’s National Atomic Energy Agency’s website to spread false alerts of a radioactive threat.
- March 2021: Suspected Chinese hackers targeted electricity grid operators in India in an apparent attempt to lay the groundwork for possible future attacks.
- February 2021: Unknown hackers attempted to raise levels of sodium hydroxide in the water supply of Oldsmar, Florida (USA), by a factor of 100 by exploiting a remote access system.
- December 2020: Unknown hackers conducted a spear phishing campaign against six countries targeting special temperature-controlled environments to support the COVID-19 supply chain.
- July 2020: Israel announced that two cyber attacks had been carried out against Israeli water infrastructure and distribution control systems. Neither were successful.
- May 2020: German officials found that a Russian hacking group had compromised the networks of energy, water, and power companies in Germany by compromising the firms’ suppliers.
- April 2020: Suspected Iranian hackers unsuccessfully targeted the command-and-control systems of water treatment plants, pumping stations and sewage in Israel.
- April 2020: The government and energy sector entities in Azerbaijan were targeted by an unknown group focused on the SCADA systems of wind turbines.
- October 2019: India announced that North Korean malware designed for data extraction had been identified in the networks of a nuclear power plant.
- September 2019: A Chinese state-sponsored hacking group responsible for attacks against three U.S. utility companies in July 2019 was found to have subsequently targeted seventeen others.
- July 2019: State-sponsored Chinese hackers conducted a spear-phishing campaign against employees of three major U.S. utility companies.
- June 2019: U.S. grid regulator NERC issued a warning that a major hacking group with suspected Russian ties was conducting reconnaissance into the networks of electrical utilities.
- March 2019: The U.S. Department of Energy reported that grid operators in Los Angeles County, California and Salt Lake, Utah, suffered a DDoS attack that disrupted their operations; and
- March 2019: Iranian hackers targeted thousands of people at more than 200 oil-and-gas and heavy machinery companies across the world, stealing corporate secrets and deleting data.
Secondary Threats: Post COVID-19
Throughout the COVID-19 pandemic, Western nations readied themselves for an anticipated escalation of security threats toward utility companies, based on a well-established link between times of economic downturn and civil unrest, which can in turn lead to an increased targeting of utilities by organized and opportunistic crime. Primary security concerns in relation to utility companies include:
Metal Theft: Renewable energy sites utilize solar farms and onshore wind, which occupy huge footprints, often in remote locations with undefined or even insecure perimeters. As a result, these installations can be prime targets for metal theft
Protest Activity: Times of civil unrest are typically accompanied by a surge in protest activity, with past history showing that power generation sites (especially coal and gas) can present a highly desirable target for those malicious or radicalized actors hoping to make the most disruptive impact. As demands for action on climate change are only likely to intensify in the coming years, the potential threats posed to energy sites will likewise increase and should be considered a top security concern looking ahead to 2022.
Lone Working: Working alone is already understood as a significant hazard and concern for employees. Utility employers must place high importance on assessing and mitigating the risk to those vulnerable employees, given the remote location of many utilities sites. Lone worker protection systems should be considered essential, such as the installation of sophisticated distress and panic alarms, some of which can even auto-monitor audio signals to detect aggressive behaviour against an employee, without the worker needing to trigger the alarm.
Workplace Management: Employees returning to their workplace upon the easing of some pandemic restrictions require an improved and safe working environment in which employees, visitors, and contractors are comfortable with protocols to enforce physical distancing and wearing of PPE.
Secondary Threats: Pre COVID-19
Regulatory uncertainty, employee turnover, and an organization’s risk culture are among the security threats to utility providers that predate the onset of the COVID-19 pandemic and remain ongoing areas of concern.
Regulatory Ambiguity: A lack of clarity often surrounds the accelerated introduction of new regulatory requirements, hindering their successful implementation of new policy changes, even as utility companies invest in compliance and risk management software solutions to efficiently manage operations and compliance concerns.
Employee Turnover: Institutional knowledge is critical to the operation, management, and governance of utilities. Higher rates of retirement and general employee turnover can therefore present a major risk. tility companies are already not immune to the growing talent gap. Succession planning is paramount for the retention of institutional knowledge, such as through the application of information management systems and software that are designed to centralize information and skillsets, and prevent their transfer to other competitor utility companies.
Training: New employees require the appropriate training through a standardization process designed to introduce new workers into the corporate mentality. Training management software can assist with resource management and training standards to ensure compliance.
Cyber Security: Smart meters, smart thermostats, smart appliances, and other 'smart' home devices have grown in popularity, in a similar capacity as connected devices in power plants, smart equipment, sensors, and smart PPE. Smart infrastructures offer vast potential for utility corporations although they simultaneously present a new set of risks in relation to customer data breaches, unauthorized access to physical assets, and cyberterrorism. Should utility companies wish to avoid cyber threats, they need to drastically increase their investment in cybersecurity.
Climate Risk: Utility companies are among the first to feel the impacts of climate change as they independently take strides to reduce impacts, and announce plans to retire coal-fired generators in favour with lower-cost renewables. Utilities need to establish a framework for identifying and addressing climate-related risks such as physical damage, disruption, and unwanted disclosures of information. Failure to sufficiently and transparently mitigate these risks can have severe consequences on the utility's reputation and physical assets, as well as the environment.
Consumer Mentality: Thanks to the recent proliferation of connected devices such as smart thermostats, meters, and appliances consumers possess ever greater control over their energy consumption. As a result, consumers desiring to reduce their carbon footprint are demanding more from their utility providers, and in some cases exploring emerging renewable energy options. Utilities need to recognize their customers’ needs and expectations if they wish to be successful.
Risk Culture: Risk culture can be defined as an employee’s behaviour, perception, attitude, values, capabilities, and level of organizational commitment within the workplace. Employees need to be mentored with strong risk management standards embraced by the highest level of senior management and embedded in the corporate ethos. Any lack of employee dedication to departmental security compliance standards will invariably remain the most decisive insider threat from within an organization.
We depend upon the consumption of electricity, heat, water, and other commodities for the routine functioning of society and our daily survival. The disruption or deprivation of any one of these elements can cause disaster, panic, civil disobedience, even death.
Utilities are the most basic operational and structural mechanisms that enable us to work, live comfortably, and flourish as a society, making them the most attractive targets by hostile actors and foreign governments. If timed strategically, an actor can control a nation’s access to its utilities or terminate them altogether through the means of cyber penetration rather than terrorism or physical attack. In such an event, that actor will have covertly succeeded in incapacitating an adversary without the use of conventional military weapons or technologies.
Utility companies can defend themselves against some of the threats discussed above by hardening their digital and physical security standards. Investing in a truly converged security program that encompasses physical, electronic, and cyber security activities is without doubt the best method of maximizing an organization’s mitigation efforts in relation to risk and hazards, whether from foreign or domestic means.