How are energy and utility companies thinking about edge computing and the security of that edge?
A newly released report from AT&T looks specifically at how this sector is making use of edge computing and related security concerns. According to the September 2021 survey on which the report is based, 77% of responding energy and utility (EU) companies have already, or plan to, fully or partially implement at least one edge use case. And they are also worried about the security of such use cases: 79% of EU respondents said that they think there is a “high” or “very high” likelihood of a compromise, within three years, in at least one of the use cases intended for production.
While retail, the public sector and manufacturing have the most mature deployments of edge use cases, about 40% of the surveyed use cases in the EU sector were considered “mature.” That shouldn’t be read as a lack of interest compared to other verticals, AT&T said—most edge use cases in EU were in “mid-stage” development, and it’s probably more the case that the mission-critical nature of utilities’ work means that they are taking things slowly and carefully.
“Given the critical importance of this sector to well-being and safety, it could be argued that higher levels of maturity may justifiably take more time to safely achieve,” the report said.
The report is based on a subset of data from a larger edge and security-centered survey of market segments that included energy and utility companies as well as companies in manufacturing, healthcare, retail and more. The survey of more than 1,500 security, IT and operations professionals was conducted in September 2021. For EU respondents, the survey dug into edge computing use cases that included intelligent grid management; connected field services; leak detection; geographic infrastructure exploration, discovery and management; mission-critical voice, data and video; remote-control operations; self-healing assets; and video surveillance and site inspection.
The edge use case with the most maturity in adoption by energy and utilities was geographic infrastructure exploration, discover and management (adoption reported by 63% of respondents). Meanwhile, remote-control operations has already been adopted by 47% of the EU respondents, and video-based site surveillance and inspection has been adopted by 41% of respondents. But the highest rate of either “mid-stage” or “mature” adoption of edge computing in infrastructure leak detection (82%).
In terms of cybersecurity concerns, EU respondents had slightly different priorities than other sectors. While ransomware was the top concern among other sectors, it was second for respondents in energy and utilities (perhaps surprisingly, given that a major ransomware attack took down the operations of the Colonial Pipeline supplying fuel to nearly half the Eastern seaboard last year); their top concern was “sniffing” attacks against the Radio Access Network. Ransomware actually tied for second with concerns about attacks on 5G core networks and attacks against user or end-point devices.
“Classic cybersecurity controls, such as patching systems when a vulnerability is discovered, does not work when that patch requires bringing down an entire oil refinery or wastewater treatment facility,” the report said.
While ransomeware was the top concern among other sectors, it was second for respondents in energy and utilities (perhaps surprisingly, given that a major ransomware attack took down the operations of the pipeline supplying half the Eastern seaboard last year); their top concern was “sniffing” attacks against the Radio Access Network. Ransomware actually tied for second with concerns about attacks on 5G core networks and attacks against user or end-point devices.
“These concerns paint a picture of the need to protect (and the challenge of protecting) the most critical components of the network, supporting infrastructure, and OT devices,” the report said. It also noted that per the survey, dedicated denial of service attacks (DDoS) were ranked as the area of least concern—but AT&T warned that even if it seems like an edge, particularly one with AI making local decisions, might be less vulnerable, there are indirect factors in play that could affect services and functions. “Stakeholders need to factor in how long a given edge computing use case can remain functional while under a sustained DDoS attack. How long can the AI systems make the appropriate decisions in a vacuum without having access to the back-end IT systems that maintain their configurations? For edge cases, such as remote-control operations, a DDoS attack could be devastating, and thus different compensating controls may be required to survive this type of attack,” the report said.
Among the recommendations for EU companies:
-Since the EU sector is getting extra attention from regulators on the state of cybersecurity, have a fully vetted response plan with an understanding of trigger points for reporting/communications with various stakeholders and governmental agencies.
-For some legacy or discontinued operating systems that are still in use, “the cybersecurity infrastructure simply doesn’t exist” for them and alternatives such as vulnerability scans, microsegmentation and and threat hunting should be considered, the report said.
-In an evolving industry, cybersecurity should be continuously reviewed for what works and what needs to be put in place for future-proofing, including consulting with outside experts. AT&T suggested that service providers should be consulted for insights on road maps for current and proposed use cases, and that it is “likely that a service provider can be found that has done all or most of what [the] organization is considering. … Better to follow someone else who has been “on the bleeding edge” already than to be the pioneer that gets exposed.”
Read the full report and a related blog post from AT&T here.
