By Mathias Lilja, MasterCard Worldwide
Economies changed over the past few decades, from bartering to cash to credit and now to electronic payments. With electronic payments, however, utilities must provide both ease of access and protection simultaneously. Utilities need to look at electronic payments as a way to improve the service they provide and drive financial benefits—all with an eye on security.
In the good old days, all it took to keep a business safe was a safe, a strong door and a deadbolt. Times have changed since then, and many modern criminals can steal an organization's valuable information and data from half a world away.
Using just a computer with Internet access, savvy cybercriminals now can remotely enter a company's unprotected computer systems virtually undetected and find a wide range of employee and customer personally identifiable information (PII),—full names, Social Security numbers, drivers' licenses, dates of birth or even credit or debit card numbers.
If sensitive PII data are stolen, the theft can lead to serious financial losses for a utility and erode the hard-earned goodwill and trust that took years to build. It's crucial, therefore, for businesses to understand common online attack methods and to take the necessary steps to protect data and information systems in order to minimize the risk of a major data breach. Data protection and the information security controls required to deter hackers are only as good as the weakest point, however. Therefore, ongoing due diligence and robust system penetration testing is necessary to identify existing and potential data security gaps and prevent criminals from obtaining and selling that data.
Common Cybercriminal Attack Vectors
There are numerous reasons why organizations fall victim to data breaches, including:
- Application vulnerabilities. An SQL injection attack is the most common form of attack preferred by cybercriminals. Often this tactic is one of the very first attempts by a hacker to gain unauthorized access to a company's network. SQL injection attacks are relatively easy to construct and perform because of common application vulnerabilities and the simplistic nature of the website's script identification and execution. To protect against this type of attack, ensure that Web application code is written securely during development phases, databases are configured properly, and Web application firewalls are being used. Organizations should regularly test all applications for security flaws. Even commercial off-the-shelf applications may contain vulnerabilities that may compromise a company's security. Home-grown applications should go through a strict software development life cycle that includes testing for identified vulnerabilities of the preferred platform and input validation for any Web-facing application. (See sidebar on Page 86 for details on SQL injection.)
- Remote access. Technologies that allow employees or vendors access to organization resources via the Internet or a modem may represent a serious vulnerability for a utility. Organizations can avoid unauthorized access via remote solutions if they properly define approved remote access methods and two-factor authentication requirements. (Two-factor authentication requires two forms of user verification for higher-risk access points, such as those originating from outside the network or when accessing networks of higher security from networks of lower security. In addition, remote access should be employed on an as-needed basis and all sessions should be logged.)
- Ineffective patch management. Evidence shows that the victims of account data compromises could have avoided the events if they had a strong program to identify and patch vulnerabilities on external-facing systems. Regular vulnerability scanning and timely patch management are both critical steps to ensure system vulnerabilities are not exploited by hackers.
- Weak network security/flat networks. Not every cyberattack leads to a data loss. Hackers may break through one perimeter layer but remain unable to gain access to data because of layers of network security within the network. It is essential to segment a network's data environment from the rest of its corporate network and from publicly accessible wireless networks. (Without adequate network segmentation, a utility's entire network and database resources can be targeted by hackers via a SQL injection or other method of remote access via third-party connections. Segmentation can be achieved by using internal firewalls, routers with strong access control lists and other technology that restricts access to a particular segment of a network.)
- Lack of real-time security monitoring. Evidence also demonstrates that if security monitoring had been in place, victims of data compromises could have reacted quicker or minimized the impact by employing security alerts. Most compromised entities are notified of the breach via a third party. That initial notification may occur weeks or months after the original breach took place. For that reason, all organizations that transmit or store PII data must have ongoing system monitoring in place. Organizations should monitor all firewall logs and trigger alerts. Organization also should monitor anti-virus software and logs. Anti-virus software should be used on any system commonly affected by malware to protect against current and evolving malicious software threats. New forms of malware can spread quickly, sometimes within hours of being introduced by the hacking community. It's important, therefore, that anti-virus software is regularly updated to help mitigate new attack streams.
- Third parties. Utilities always should know who is connecting into the company's networks. A growing trend among cybercriminals is to avoid direct attacks on organizations and, instead, target third-party partners that have network access via an established and trusted business connection. (Organizations should have a program in place to evaluate all third-party connections, monitor all access and ensure that partners maintain a robust level of data security.)
- Lack of a data retention policy. How can an organization protect what they don't know they have? In many data breach cases, the stolen data were being stored without the organizations' knowledge. They had no policies in place to ensure that data were stored or deleted according to appropriate business rules. In addition, they didn't know when, where and how the data were stored. A good protocol: If a utility doesn't need the data for a business purpose, it should not retain the data. If data must be retained, then organizations need to ensure data retention policies are in place and procedures are followed, updated and enforced.
Payment Card Industry Data Security Standard
To help utilities that facilitate payment card transaction data keep that information protected from compromise, major credit card brands formed the Payment Card Industry Security Standards Council. The council's goal is to help facilitate the broad adoption of consistent data security measures on a global basis. Per this mandate, the council developed the Payment Card Industry Data Security Standard, otherwise known as PCI DSS, which is a set of comprehensive requirements for enhancing payment account data security to help organizations proactively protect cardholder account data.
The PCI DSS requirements provide a framework for industry stakeholders to prevent, detect and minimize the impact of a data compromise. Despite that there is no single bullet to completely deter cybercriminals, studies show that companies that achieve and maintain PCI DSS compliance reduce their chances of being the victim of breach events in part because it encompasses a robust and layered approach to security.
Cybercriminals are looking for the slightest weakness in a system to steal valuable data and information. Utilities, therefore, should take steps to stay up to date on the latest hacking schemes, the tools these criminals use and the inherent risks associated with storing and transmitting industry-specific data.
By taking the necessary steps to protect sensitive systems and critical data, an organization can help safeguard itself against the potential damage to both its bottom line and reputation posed by a data breach event.
Mathias Lilja Is MasterCard Worldwide's senior business leader of U.S. market development.
MORE INSIGHT AT http://power-grid.com
Find more information about data protection online by going to the website and typing "cybersecurity" into the search engine. You'll find:
- Frost & Sullivan analysis on smart meters and cybersecurity,
- "Mobilizing the Shadow Smart Grid" by Sam Sciacca of the IEEE P2030 Task Force 1 Working Group,
- Details on a Department of Defense energy modernization alliance that features cybersecurity,
- And more.
Visit us online at http://power-grid.com for all the details.
What does SQL stand for?
Structured Query Language.
What is SQL?
A programming language for databases.
What is SQL injection, exactly?
A SQL injection is a form of website cyberattack where the criminal changes the wording of the programming language to redirect database information: names, emails, credit-card numbers. The altered SQL statements force a site to perform database operations such as dumping database content or sending that content to the attacker. SQL injections exploit software vulnerabilities that sometimes occur when user input is incorrectly filtered for specific embedded characters in SQL statements.
Is there a recent real-world example of an SQL injection attack?
In June of last year, pop musician Lady Gaga's website was hacked using an SQL injection attack, and thousands of her fans' personal details were stolen. Names and emails were accessed. An SQL injection vulnerability for her website was posted on a hacker forum before the attack.
View Power Generation Articles on PennEnergy.com