With multiple large-scale ransomware attacks occurring over the last few years, including those in the utility industry, people are wondering more than ever what the future of security for the Internet of Things (IoT) infrastructure space should look like. According to PwC’s 25th Annual Global CEO Survey, 44 percent of energy, utilities, and resources CEOs ranked cyber threats as a “top three” concern, only slightly edged out by health risks (45 percent) and climate change (49 percent). With today’s advancing technology has come a drastic increase in cyber-attacks across all industries. These CEOs are feeling the threat that cyber-attacks pose now and in the future, and they must consider what actions need to be taken to prevent themselves from becoming victims.
“Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 in 2013 to almost 400 in 2020 – a 3,900 percent change,” according to a Gartner report. As their operations become more connected, companies across industries have been working to implement best practice security measures to try and mitigate these attacks. With strong IoT security inherent in network protocols like LoRaWAN, we know our critical infrastructure is more secure than ever before. However, with cybercriminals becoming more sophisticated, some organizations may choose to consider an additional layer of security to protect vital information.
IoT Security Risks in Utility Infrastructure
Current: Alarmingly, in some situations, security isn’t implemented correctly on IoT devices or for communication coming from devices. And, if low-strength security and/or static keys are being used, it can make it easier for bad actors to hack your systems. Security vulnerabilities that exist today include man-in-the-middle attacks, replays, delays, reliance on antiquated operating systems, no true end-to-end data security, and low amounts of processing power.
Future: The future of utilities is moving towards remote management and access to devices (like meters), which will expand connectivity infrastructures. While this promises a more streamlined way to operate, it can introduce new vulnerabilities. Because of this, utility infrastructure providers need to consider the cyber risks that come with making systems more visible to cyber criminals and prepare their security for attacks.
Outcomes and Future Planning
When a cyberattack has been successfully carried out on utility infrastructure the damage done can leave a lasting impact on human safety and can affect equipment, systems, and the services they provide. When hackers can capture sensitive data about these systems and manipulate them, they can cause catastrophic outcomes, including total system shutdowns.
The visibility that comes as a result of increased connectivity means that those in the utility infrastructure space need to implement security that can cover any openings that hackers may try to exploit, providing true end-to-end payload protection through every hop of an IoT network. One consideration is to secure IoT devices by embedding a security technology within the end devices that secures data to the highest strength, at the earliest opportunity. This security library is controlled by the application running on the device and should be resistant to attacks of the future. Government-regulated certifications like FIPS 140-3 are also an important feature in protecting critical infrastructure.
Securing an IoT deployment is not only a matter of choosing the right communication protocol, but it requires following implementation best practices and adhering to industry security standards. The LoRaWAN specification has been designed from the outset with security as an essential aspect, providing state-of-the-art security properties that meet the needs of highly scalable low-power IoT networks.
Additional layers of security such as MTE (MicroToken Exchange) and MKE (Managed Key Encryption) are also supported by forward-thinking network operators and utility infrastructure providers to support critical infrastructure and essential business applications.