The companies that underpin critical infrastructure often use tens or hundreds of thousands of Internet of Things (IoT) devices for several use cases. Water utilities use remote sensors to monitor water quality and reservoir levels. Power companies leverage connected equipment to monitor for outages and higher usage levels throughout the system. Oil and gas companies use connected devices to monitor miles of geographically distributed pipelines. 

These industrial sectors use IoT devices for a few reasons: 

• geographically remote locations in need of real-time monitoring
• the prohibitive cost of sending employees on location, and
• IoT devices streamline monitoring from centralized offices. 

Of course, the use of IoT devices brings with it the risk of cyberattack. Connected devices are deployed incredibly quickly in large numbers, adding more possible entry points to the networks of critical infrastructure organizations. There are expected to be 17.08 billion IoT devices brought online worldwide in 2024, representing 13% year-over-year growth from 2023. 

For critical infrastructure companies, the danger is especially acute. These firms, including oil and gas facilities, water treatment plants, electric companies, and sewer facilities face attacks from nation-state groups seeking to disrupt their government’s enemies. Disrupt operations at an electricity company or a water treatment plant, and it’s possible to sow chaos in a society.

The IoT Risk to Utilities and Critical Infrastructure 

In terms of IoT, many critical infrastructure companies have remote monitoring tools implemented through their infrastructure. An oil and gas pipeline typically runs through miles upon miles of wilderness and has sensors all along its length to track the liquid crude as it travels from extractors to refiners. Water treatment plants have sensors spread throughout their operations, and electric companies have internet-enabled transformers tracking power flow through their systems. 

The risk to these systems is acknowledged at the federal government level. The U.S. Government Accountability Office (GAO) released a report at the end of 2022 detailing the risks of IoT usage in critical infrastructure environments. As part of this research, they found that the federal agencies responsible for the 16 critical infrastructure sectors (as defined by the federal government) had not as of that time conducted risk assessments about their use of IoT or operational technology (OT). 

It’s not just cyberattacks either. Utilities and other critical infrastructure reported 60 incidents in the first three months of 2023 that they characterized as physical threats or attacks on major electric grid infrastructure, in addition to two cyberattacks, according to mandatory disclosures with the Department of Energy. This is more than double the same period in 2022 and is indicative of the desire of homegrown extremists to cause mass blackouts in the United States. Electric companies especially are vulnerable to physical attacks with the need to have remote substations to move power through their regions.

Examples of Recent Attacks on Critical Infrastructure 

As part of our analysis of the IoT risks to critical infrastructure, we examined a few recent cyberattacks on individual sectors. There was not enough information to determine whether these attacks originated in connected devices, unfortunately. Whether they started with IoT devices or not is immaterial, however; what’s more important is understanding that cybercriminals regularly target critical infrastructure. Anything that creates more cyberattack risk, including unprotected IoT devices, needs to be defended. 

Different critical infrastructure categories experience distinct threats. For water utilities, an IoT breach won’t necessarily stop operational technology from functioning or create downtime. That might be a good thing, but that doesn’t mean these attacks aren’t damaging. A more salient point is that these attacks on water systems may also occur in rural areas that have more limited budgets. 

Several recent examples include:

• The Municipal Water Authority of Aliquippa in Pittsburgh had to shut down its OT systems after a cyberattack from the Iran-backed group “Cyber Av3ngers” on one of its booster stations. The attack shut down equipment that monitors water pressure at the station, forcing the water company to switch to manual monitoring. 
• At least 10 more water facilities throughout the United States were hacked through the same method the Cyber Av3ngers used to breach the Aliquippa water company, according to federal investigators. The devices that the Iranian group shut down were manufactured in Israel and displayed a message that said all Israeli tech is fair game for the Cyber Av3ngers. 
• The Municipal Water Division of Oldsmar, Florida, had to defend against a poisoning attack. Someone hacked into a utility control network and raised levels of sodium hydroxide to over 100 times their normal concentrations. Sodium hydroxide is dangerous in large quantities but is safely used in everyday water treatment. An operator who noticed the hack in real time – by seeing his mouse cursor move by itself – stopped the chemicals from reaching the water supply. 

With power companies, the same trends apply. Co-ops and rural companies frequently get targeted because they’re the ones with the smallest amount of cybersecurity defenses. In 2022, there were a total of 1,665 security incidents involving the U.S. and Canadian power grids; 60 of those incidents led to outages. IoT attacks may not cause major disruptions given how they’re connected to a network, but they can still impact energy company terminals and other IT rather than OT. For example:

• In 2021, Colorado cooperative Delta-Montrose Electric Association (DMEA) was hit by a “malicious” cyberattack and left without payment processing, billing, and other internal systems. It took more than a month to bring those systems back online. The utility said it suffered a significant data loss, but there was “no breach of sensitive data within our network environment” and its distribution grid was not impacted. 
• Nearly two dozen Danish energy companies were attacked in May 2023 in three successive waves. This was the largest cyberattack in Danish history and resulted in several of the power companies shutting off their connection to the internet to limit the damage.  
• It’s not only power companies directly that are impacted. Chicago-based engineering firm Sargent & Lundy, which designed more than 900 power stations in the US,  experienced a ransomware attack in October 2022. Sargent & Lundy holds sensitive data on its power station and power line projects. Data on electrical systems was exfiltrated, but there is as yet no indication of any downstream impacts. But that doesn’t mean power companies can relax either.   

Oil and gas companies typically have larger organizations with distributed networks and riskier IoT assets because of their geographic distribution. Overall, these companies are less regulated in terms of how and where to invest in cybersecurity as well. Everything relies on IT defenses as opposed to the OT side of things with other utility and critical infrastructure companies. 

That said, successful cyberattacks in the oil and gas industry can have massive societal impacts. There could be widespread gas shortages, triggering hoarding behavior at the pump and leading to broader chaos. In some cases, that may be the goal of the cyberattack in the first place. 

• In May 2021, financially motivated cybercriminals launched a ransomware attack on Colonial Pipeline. They locked up IoT sensors, making it impossible for the company to track how much to bill gas customers. In response, the company shut down all 5,500 miles of pipeline, which caused fuel shortages and panic buying in multiple states. With good reason too: Colonial Pipeline makes up 45% of the East Coast’s supply of diesel, petrol, and jet fuel. 
• Suncor Energy, a Canadian oil and gas company, experienced a cyberattack in June 2023 that one expert said would likely cost the company millions of dollars in recovery. Customers trying to get gas at Suncor Petro-Canada retail locations couldn’t use credit or debit cards while the company recovered. It took until nearly August to almost completely resume regular operations.  
• ExxonMobil was disrupted in December 2019 by a Ryuk ransomware attack. Ryuk specifically impacted the company’s downstream business, which includes refining, chemical production, and distribution of petroleum products. 
• In 2017, cyber attackers using a new Triton malware attacked the safety systems at Saudi Aramco, the world’s largest oil company. This was the first example of malware used to target safety systems directly. Aramco initially denied the attack, so it wasn’t known until Foreign Policy magazine detailed the attack’s progression. 

Critical infrastructure operators in these and other industry sectors would do well to take a few actions to defend their systems:

• understand their true equipment and device inventory along with its network architecture through the use of discovery tools, 
• adapt their security strategy to focus on data and traffic as opposed to perimeter defense, and
• deploy IoT security tools designed with anomalous behavior detection in mind to ensure they can be readily monitored and risks mitigated from a central location. 

How Asimily Helps Defend Critical Infrastructure

Asimily’s platform simplifies IoT security through a few key capabilities. These include anomalous behavior detection, risk simulation, traffic analysis, and vulnerability scoring. Asimily maps all the IoT devices in your environment, ensuring that critical infrastructure firms have a complete picture of their connected device environment and centralized insight into their risks. 

IoT devices used in critical infrastructure may not be easily taken offline for remediation. Asimily’s risk simulation enables these companies to assess options for mitigating the risk from a given vulnerability on a device. Simulating a fix can help determine criticality and whether the weakness is even of interest to attackers before doing the work. That’s critical information when deciding how to improve your security posture. 

Asimily also provides holistic context into IoT environments when calculating likelihood-based risk scoring for devices. For example, highly networked devices have more inherent risk than ones with few connections. Our scoring considers the compensating controls so you can more appropriately prioritize remediation activities.

Asimily customers efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

Utilities looking to implement smart technology to improve their operations need a solution like Asimily to address IoT security risks. To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.