It’s never a long wait until the next data breach hits the headlines. Recently, companies such as Whole Foods, Macy’s and British Airways have all suffered data breaches.

For the utilities industry, a data breach could have serious consequences — not only for the company under attack, but for the public that relies on the company’s services. A report estimated that a cyber attack on the electric distribution network in south and east U.K. could cause disruptions in transport, digital communications and water services for 13 million people and cost the economy between £49 billion and £442 billion.

Which companies have experienced data breaches?

The big wake-up call for the utilities industry came in 2010 when Stuxnet, a malicious computer worm, attacked SCADA (supervisory control and data acquisition) systems. Stuxnet targeted machines using the Microsoft Windows operating system and was able to exploit zero-day flaws, which enabled it to infiltrate machinery used to control assembly lines. The attack was a major eye opener for the entire industry, proving how serious a cyber attack could be.

PG&E was fined $2.7 million for security oversights that allowed hackers to gain remote access to the power provider’s systems. More than 30,000 company records were left unprotected, including usernames and passwords, which could aid a malicious attacker in using this information to breach the secure infrastructure and access critical cyber assets.

hands with phone

The list of companies falling victim to cyber attacks continues to expand. With the introduction of GDPR in 2018, companies are required by law to disclose a breach to the public in a timely manner if any EU residents are involved.

The utilities industry is fast becoming a target for hackers. While a successful attacker can have a huge potential payoff, the residual damage can be exponential. A 2016 report from Cambridge University’s Centre for Risk Studies found that 15% of all cyber attacks logged in the U.K. were within the energy sector. This was second only to financial services, the most ‘at risk’ industry.

In response to these growing risks, U.K. energy companies have set up a cyber security group that shares new developments and best practice guidelines.

But it’s not only the energy sector that needs to stay on guard. According to EmergIn Risk, three quarters of utility companies have experienced a data breach in the past 12 months, with average clean-up costs around $156k per breach.

Why are utility companies particularly vulnerable?

The industry itself has inherent risks. It is heavily reliant on a supply chain that can often be difficult to manage. If there is one lesson from the TalkTalk breach in 2015, it’s that the biggest and best-known name will end up taking the blame — even if the breach occurs further down the chain.

Utility companies also have large employee networks, with a high number of employees working remotely — away from offices and the protection of on-site infrastructures. These companies also need to watch out for attackers imitating them to gain access to customer data. Utility companies are often used in phishing emails to trick unknowing individuals into providing their data. In fact, this is exactly what happened to TalkTalk customers when their data was leaked. Individual data was sold to criminals who used the information to gather bank details from unsuspecting victims, who thought they were speaking with TalkTalk advisers. With all customer account details readily available, these cyber criminals did not have a hard time convincing people they were legitimate.

cellphone at night
Where does mobile come into this?

The breaches outlined above all came through desktop attacks. However, mobile is rapidly becoming the biggest new threat vector when it comes to corporate attacks. Internet traffic on mobile devices has already surpassed desktop traffic and this trend shows no signs of slowing down.

For utility companies, the high amount of mobile workers has led to an increase in the number of corporate-owned devices distributed to employees. These devices are largely unmanned. They are frequently lacking the corporate protection of secure web gateways and firewalls, left to roam free as they connect to numerous different networks. The unrestricted access mobile devices provide workers has opened up a wide range of security risks.

What are the risks associated with mobile devices?

Malware

From Wannacry to NotPetya, malware is well known to wreak havoc, particularly for devices running Windows. Mobile malware is also on the rise and can target Android or iOS devices.

According to Wandera research, the number of malicious malware installation packages found targeting mobile devices more than tripled in 2016, resulting in almost 40 million attacks globally. Mobile devices are essentially mini spy gadgets, with cameras, microphones and substantial amounts of sensitive data, both personal and corporate. When a device is infected with malware, an attacker can gain full access to all of this data.

Wandera conducted some deeper analysis on utility companies, looking at a sample of over 10,000 devices within its customer base. Based on 2018 data, Wandera found that 2% of devices were likely to have malware downloaded. While this does not seem like a particularly high percentage, malware can range from fairly harmless adware to much more serious threats, such as spyware, banker malware or ransomware.

Earlier this year, Wandera uncovered a zero-day malware variant called RedDrop, which was lurking within a number of corporate-owned employee devices. RedDrop inflicts financial costs and critical data loss on infected devices. The 53 malware-ridden apps were able to exfiltrate sensitive data, including audio recordings, and dump it in the attackers’ Dropbox accounts to prepare for further attacks and extortion tactics. Although instances of malware within utilities firms are small at the moment, one bad app could lead to a data breach.

Phishing

While malware is a major concern for utility companies, the industry’s biggest threat is phishing. Wandera research shows that a new phishing site is created every 20 seconds. In addition to growing in number, fake pages are becoming increasingly difficult to distinguish from the real pages they are posing as, often created as templates of trusted companies such as PayPal or Amazon.

There are also some inherent risks that make mobile users easier targets for phishing attacks. The way we use mobile devices is different from the way we interact with laptops and desktops. There is still a general consensus that mobile devices are more secure, which is an increasingly incorrect assumption.

Additionally, URLs can be easier to hide on smaller screens, which can trick users into clicking links on mobile devices. Whether it be email, SMS or WhatsApp messages, mobile users are three times more likely to click on a phishing link from a mobile device than they are on a laptop or desktop. For companies that have a large number of remote workers accessing corporate resources on mobile devices, this is a major issue.

Wandera data indicates that utility company employees are not only receiving phishing links, but actually clicking on them. For a company with an average of 100 devices, nearly 30 people click on phishing links every month. It would take only one person to give away a password, for example, opening the doors to a corporate network for attackers.

How can utility companies protect themselves from cyber attacks?

As previously mentioned, the utilities industry is currently the second biggest target for cyber attacks. Most companies within this industry have taken steps to protect their infrastructures. But in most cases, mobile devices still fall outside this protective wall. A Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution is a solid first step in protecting devices, giving companies the ability to remotely wipe devices if necessary.

But for full coverage, utility companies need to be investing in a Mobile Threat Defense (MTD) solution, ideally one with a mobile gateway that can protect against network attacks, and not just app-based insecurities.