Blog

 

Latest Stories

Featured Stories

Filter By Categories
Andrew Cenci
By
November 17, 2020

Utility Security in the Cloud: A Discussion with Virtual Peaker’s Graham Park

Worldwide, the value of the public cloud services market is estimated at almost $260 billion according to research firm Gartner, Inc. And it’s growing: With the onset of the COVID-19 pandemic, work habits—and work locations—have changed for many, heightening the already strong interest in robust security for cloud-based systems.

 

While many industries—finance, medicine, and more—already are firmly in the cloud, many utilities are still taking initial steps and looking for guidance.

me

Graham Park, a software engineer at Virtual Peaker who has been heavily involved in cybersecurity issues for years, has taken a leadership role at the company developing security and software solutions for our clients.

 

In this blog post, Graham responds to some of the top security concerns for utilities.

 

Q. What is the biggest cybersecurity risk for cloud-based systems at utilities?

A. Misconfiguration—by a long shot—is the biggest danger for those using cloud-based platforms. Cloud providers offer a rich assortment of the latest security tools and best-practice protocols to lean on as users deploy and manage all sorts of utility applications. However, it’s critical for anyone migrating to, or operating in, the cloud to take the time needed to set up these systems correctly and securely.

There are far too many cautionary tales out there.In one case, sensitive medical records (lab test results, patient files) for 150,000 Americans had been stored on an unsecured cloud. In another case, back in 2017, personal information—about 1.1 terabytes worth—for almost 200 million registered U.S. voters was accidentally exposed online for two days due to an improperly configured security setting. In both of these cases, fixing the configuration was fairly simple, but it just wasn't done. So to anyone considering moving to or operating in the cloud, make sure to keep up-to-date with security best practices and keep them in mind as you build your applications. When done correctly, operating within the cloud can remove or streamline a lot of the work required to deploy a secure application.

Canva Design DAENUqMjMn0Q. How do you know utility customer data won’t get hacked? And what can we do to protect critical infrastructure?

A.No security system, whether it's in the cloud or hosted in your own data center, is 100 percent immune from compromise.
Regardless of how mature your cloud security is, it's best to always think of it as a work in progress. That's because new threat actors emerge, testing out new tricks, and we have to be ready. The best protection is to constantly sharpen security systems and continually educate employees.

Here are some concrete steps to take:

  • Follow industry best practices. There’s a lot to be learned from the shared experiences of the security community.
  • Catch mistakes before they’re exploited. Hire penetration testing teams to regularly flag issues with your applications, and set up automated scanning of your code and infrastructure to detect common security mistakes before they become a problem.
  • Invest in detection. Some reports suggest that 200 days is the average time it takes to detect a data breach. A lot of damage can be done in more than half a year, so the faster you detect and respond to an attack, the more likely it is you’ll be able to prevent or limit serious damage.
  • Create a culture focused on security. As the old saying goes, the strongest lock doesn’t matter if someone hands over the keys. At Virtual Peaker, we’ve found that short trainings every month work best. They’re brief enough to engage employees yet happen often enough to ensure that security is always top of mind. Because phishing is consistently ranked as the top reason for security breaches, it’s critical that security training includes phishing simulations so team members don’t get fooled.

Of course, security starts—or ends—at the highest levels of every organization, so it’s critical for leaders to stress the importance of remaining vigilant and focused.

 

Subscribe To Our Newsletter


Q. The pandemic has shifted work habits and social distancing/working from home is the new normal for many. How can utility employees work remotely and safely?

A.The cloud doesn't care whether your access point is the office or a spare bedroom at home—the same best practices for security listed above still apply.
Make sure to always lock your devices when you walk away and never leave them unattended in public. Only connect using your company VPN if you have one.
Think before you click, regardless of your location. Phishing scams are on the rise during the pandemic, so if something seems a little off delete it or first confirm with your security department that it's okay to proceed. In the pre-pandemic world, if you received a suspicious email claiming to be from a colleague, you could walk down the hall to make sure. When working from home, reach out through a different communication channel —Slack, text, voice, etc.— to make sure the communication is legit before opening it.
It's also important to take steps so you don't inadvertently disclose company information. Make sure to dispose of all confidential documents securely, and to think about who might be within earshot before discussing confidential business information over the phone or who might be able to look over your shoulder and watch you enter passwords or pull up confidential data. And of course, it's critical to use strong passwords and multi-factor authentication.


Q. What should utilities look for to make sure vendors are legitimate when it comes to cybersecurity?

A. I think a lot of the things we've talked about can be applied when considering vendors. The same focus on security within your organization should be visible in all of your vendors as well. It's necessary to hold them to a high security bar because (depending on the vendor) they may be handling your sensitive data or business-critical functionalities. Some questions to consider as you evaluate vendors:

  • Are they following industry best practices?
  • Are they investing heavily and frequently in security?
  • Do they use third-party assessments including penetration tests and audits to protect the information in the cloud?

 

Good luck, and please don’t hesitate to contact us with any questions or concerns.

Subscribe Email