Critical infrastructures have faced a barrage of cyberthreats in recent years, and operators now recognize that future attacks are a matter of ‘when’ rather than ‘if’. According to a recent survey by Siemens and the Ponemon Institute utility, 56% of the utilities network operators worldwide, reported at least one shutdown or operational data loss per year and 54% expected an attack in the coming year, as well. Although, recent large-scale hacks have targeted water plants like the one in Oldsmar, Florida, and oil infrastructures like the Colonial Pipeline, electric utilities have taken a big hit, too: up to a quarter of North American electric utilities were affected by the massive SolarWinds hack from last year, according to the North American Electric Reliability Corp (NERC), a non-profit industry regulator.

Tens of millions of dollars in losses, which includes monetary impacts and brand impact all because of passwords. Yes, compromised and / or weak passwords were the common denominator in the major cyberthreats above.

Utility and energy sectors need to move away from the 61-year-old knowledge based authentication process (passwords) and adopt modern authentication services to protect their critical infrastructure.

Below are 3 best practices that critical infrastructure sectors need to adopt to keep the malicious actors out.

• Eliminate centrally stored credentials from the authentication process

Passwords themselves cannot ensure secure authentication for accessing critical infrastructure. With more than 15 billion user names and passwords freely available on the dark web and password reuse at 60%, it makes it easy for the malicious actors to launch credential stuffing attacks, brute force attacks, and password spraying attacks to compromise critical infrastructure.

To enhance security, many organizations are in the process of enabling multi-factor authentication (MFA). However, it comes at a substantial cost: beyond the monetary investment required, MFA adds friction, and can still be compromised with tools freely available on the dark web.

With hacking tools rapidly evolving to include options such as phishing-as-aservice, , malicious actors can easily breach and exploit centrally stored password repositories – allowing them to access to critical infrastructure or at least gain a foothold in the network where they can then move laterally and look for additional vulnerabilities to exploit in order to gain additional privileges.

• Adopt immutable authentication processes

The 2021 Verizon Data Breach Investigations Report found that centralized credentials are the target of 94% of cyber attacks for energy and utility companies — higher than in any other industry. If credentials are not centrally stored and are instead completely removed from the authentication flow, malicious actors can no longer launch password-based attacks on critical infrastructure. “By 2023, we will see a big trend in cyber(security) to adopt decentralized authentication. This will be used in combination with a Zero Trust access controls to secure highly valuable systems in large enterprises and critical infrastructure providers”, says Mike Gillan, Chief Technology Officer and co-founder of BlokSec Technologies Inc.

Immutable authentication services based on decentralized user identities leveraging digital signatures (cryptographic keys), tamper-proof immutable ledgers, and user biometry guarantee a true verifiable identity for each user – providing much stronger user verification than passwords and multi-factor authentication combined.

• Adopt Zero Trust mindset

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. A single energy and utility organization may have thousands of employees, contractors, and field maintenance teams requiring access from various devices to both legacy and modern cloud-based services. With the core guiding principle of Zero Trust “never trust, always verify” – energy and utility organizations need to explicitly authenticate users for every interaction to ensure that they are who they say they are before making any authorization decisions. Deploying a decentralized authentication that is secure and verifiable is a key component to enabling the Zero Trust security model. After all, if your systems rely on weak and unverifiable user authentication, how can you reliably trust your users’ identities to make authorization decisions?

Embrace Immutable Authentication with BlokSec Verifiable Identity™

The mandatory governance and regulations required by many energy and utility regulators as part of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP), including the new secondary directive from TSA, is enforcing stronger user authentication controls at entry points to electronic security perimeters.  With an average cost of $4.64 million per breach in the energy sector as outlined in the IBM 2021 Cost Of Data Breach report, it is becoming critical that energy and utility organizations adopt modern authentication that reduces risk, increases productivity, and reduces operational costs. Connect with us and find out how BlokSec immutable authentication can help you implement all three of these best practices to secure and future-proof your critical infrastructure, and address the most prevalent identity-related weaknesses and risks identified by CISA.