Worldwide, the value of the public cloud services market is estimated at almost $260 billion according to research firm Gartner, Inc. And it’s growing: With the onset of the COVID-19 pandemic, work habits—and work locations—have changed for many, heightening the already strong interest in robust security for cloud-based systems.
While many industries—finance, medicine, and more—already are firmly in the cloud, many utilities are still taking initial steps and looking for guidance.
Graham Park, a software engineer at Virtual Peaker who has been heavily involved in cybersecurity issues for years, has taken a leadership role at the company developing security and software solutions for our clients.
In this blog post, Graham responds to some of the top security concerns for utilities.
Q. What is the biggest cybersecurity risk for cloud-based systems at utilities?
A. Misconfiguration—by a long shot—is the biggest danger for those using cloud-based platforms. Cloud providers offer a rich assortment of the latest security tools and best-practice protocols to lean on as users deploy and manage all sorts of utility applications. However, it’s critical for anyone migrating to, or operating in, the cloud to take the time needed to set up these systems correctly and securely.
There are far too many cautionary tales out there.In one case, sensitive medical records (lab test results, patient files) for 150,000 Americans had been stored on an unsecured cloud. In another case, back in 2017, personal information—about 1.1 terabytes worth—for almost 200 million registered U.S. voters was accidentally exposed online for two days due to an improperly configured security setting. In both of these cases, fixing the configuration was fairly simple, but it just wasn't done. So to anyone considering moving to or operating in the cloud, make sure to keep up-to-date with security best practices and keep them in mind as you build your applications. When done correctly, operating within the cloud can remove or streamline a lot of the work required to deploy a secure application.
Q. How do you know utility customer data won’t get hacked? And what can we do to protect critical infrastructure?
A.No security system, whether it's in the cloud or hosted in your own data center, is 100 percent immune from compromise.
Regardless of how mature your cloud security is, it's best to always think of it as a work in progress. That's because new threat actors emerge, testing out new tricks, and we have to be ready. The best protection is to constantly sharpen security systems and continually educate employees.
Here are some concrete steps to take:
Of course, security starts—or ends—at the highest levels of every organization, so it’s critical for leaders to stress the importance of remaining vigilant and focused.
Q. The pandemic has shifted work habits and social distancing/working from home is the new normal for many. How can utility employees work remotely and safely?
A.The cloud doesn't care whether your access point is the office or a spare bedroom at home—the same best practices for security listed above still apply.
Make sure to always lock your devices when you walk away and never leave them unattended in public. Only connect using your company VPN if you have one.
Think before you click, regardless of your location. Phishing scams are on the rise during the pandemic, so if something seems a little off delete it or first confirm with your security department that it's okay to proceed. In the pre-pandemic world, if you received a suspicious email claiming to be from a colleague, you could walk down the hall to make sure. When working from home, reach out through a different communication channel —Slack, text, voice, etc.— to make sure the communication is legit before opening it.
It's also important to take steps so you don't inadvertently disclose company information. Make sure to dispose of all confidential documents securely, and to think about who might be within earshot before discussing confidential business information over the phone or who might be able to look over your shoulder and watch you enter passwords or pull up confidential data. And of course, it's critical to use strong passwords and multi-factor authentication.
Q. What should utilities look for to make sure vendors are legitimate when it comes to cybersecurity?
A. I think a lot of the things we've talked about can be applied when considering vendors. The same focus on security within your organization should be visible in all of your vendors as well. It's necessary to hold them to a high security bar because (depending on the vendor) they may be handling your sensitive data or business-critical functionalities. Some questions to consider as you evaluate vendors:
Good luck, and please don’t hesitate to contact us with any questions or concerns.