Cybersecurity Best Practices for Utility Fleets

If you’re a utility fleet manager who isn’t thinking about cybersecurity, the question is, should you be?

Cyberattacks on utilities increased by more than 200% in 2023, according to a report from asset intelligence firm Armis (www.armis.com). In May, the U.S. Environmental Protection Agency warned water utilities of a heightened risk of attack from foreign states.

Over the past few years, utilities have been disabled by breaches that have impaired service to customers and disrupted payments and other activities. Water providers and the electric grid have been favorite targets for bad actors who demand ransom or cause operational problems.

Ransomware is a common type of attack. The attackers don’t care about the utility’s operations. They simply shut off access to information technology systems and will only turn it back on in exchange for payment. Other attacks are bent on destruction for nefarious commercial and geopolitical purposes.

Attackers have found their way in through devices still using default passwords or employees providing their login information through a social engineering hack. Could fleet vehicles be a new route for cyberattacks?

With the addition of electric and connected vehicles to fleets, the number of attack vectors finding their way into utilities is multiplying, according to Sameer Tejani, a director at global strategy consulting firm Stax (www.stax.com).

“Vehicles are collecting a lot of data related to utilities and infrastructure and also customer information, so there are many different points of exposure,” he said. “It represents a huge risk, but it’s an area where we don’t see a lot of focus because it is a smaller portion of the broader cybersecurity world.”

How can utility fleets defend against cyberattacks?

First, understand that fleet cybersecurity is a shared risk. Compare it to the world of cloud computing, where responsibilities are divided between security of the cloud and security in the cloud. A cloud provider like Amazon Web Services is responsible for its infrastructure. Users of the cloud are responsible for their applications and databases.

The same holds true in the fleet management world, with a growing number of telematics and other internet-connected services creating shared risks among providers and fleet operators. Each connected vehicle or asset is actually an endpoint on the internet.

“The distributed nature of fleets and the high number of stakeholders make it difficult to clearly define cybersecurity responsibilities,” said Ryan Cryar, a cybersecurity and resilience researcher at the National Renewable Energy Laboratory (www.nrel.gov). “It is ultimately the responsibility of each organization to ensure that their portion of this distributed technology is secure and requires the purchasers to do due diligence in understanding the cyber maturity of the product.”

Fleet cybersecurity should be part of a utility’s overall IT security policies and procedures.

“Adoption and integration of fleet technology comes with cyber risk, so it is important to assess the technology, its capabilities, and understand where the boundaries need to be drawn such that it only has the required pathways for it to function,” Cryar said. “Given this complexity, it can be difficult to pinpoint where there are cybersecurity gaps or attack vectors if there is insufficient visibility into these systems.”

Some breaches have come through contractors and suppliers, so it’s critical to recognize those risks as part of overall security standards.

“Each organization needs to ensure that they have mature cyber practices, including assessing the cyber practices of their suppliers and partners,” Cryar said.

While managers come to grips with the risks of a connected fleet, cybersecurity best practices are essentially universal. Securing technology appears to be the easy part. The difficulties lie in ensuring people working with the equipment are well trained to recognize and prevent problems.

“The No. 1 threat from a cybersecurity standpoint is still the users who didn’t have to log in to a system to go to work before,” Tejani said. “The No. 1 priority for fleets is training and best practices around all elements of data security.”

About the Author: Gary L. Wollenhaupt is a Colorado Springs-based freelance writer who covers the transportation, energy and technology sectors for a variety of publications and companies.

7 Best Practices to Know About

Basic cybersecurity hygiene is the first line of defense against attacks, more so than exotic technology solutions. Here are seven best practices to know about.

1. User training. The biggest vulnerability is users, both internal and third parties. Require documented training for employees and contractors.

2. Strong passwords. Change default passwords on all devices and use strong passwords.

3. Prevent phishing attacks. Training users will help them avoid providing unauthorized access through emails and phone calls.

4. Understand responsibilities. Be clear on the utility’s security responsibilities versus those of providers.

5. Endpoint security. Identify and mitigate vulnerabilities of vehicles and connected devices.

6. Backup and recovery systems. Have systems for fast recovery in the event of an attack on critical systems, including fleet operations.

7. Operational resilience. Develop a plan for the eventuality that an attack will succeed, including how your fleet and utility will respond.

Cybersecurity Resources

• U.S. Department of Energy (www.energy.gov)
• Joint Office of Energy and Transportation (https://driveelectric.gov)
• National Institute of Standards and Technology (www.nist.gov)

NAFA Fleet Management Association, the vehicle fleet industry’s largest membership association, announced Samsara as the winner of its 2024 Innovations Showcase at its annual Institute & Expo (I&E) in San Antonio, Texas. Through the People’s Choice Award, I&E attendees had the opportunity to vote for their favorite innovation. This award went to Samsara, who presented their AI-Powered Safety Solutions, a single platform for businesses’ operations data, including video-based safety, vehicle telematics, apps and workflows, smart equipment and site visibility. … Autofleet, an optimization platform for fleets and transportation providers, recently launched Autofleet Nova, the industry’s first fleet-specific large language model powered by advanced AI to help fleet operators use plain language to gain comprehensive insights across their operations. Using Nova, fleet professionals can get answers that are both comprehensive and would otherwise require complex queries and coding by a team of analysts and developers. … Wheels has announced the launch of Pool CheckOut, its new end-to-end solution for managing shared vehicles. Pool CheckOut is designed to improve fleet productivity by providing organizations with a seamless, self-service digital tool that allows drivers and administrators to reserve and check out vehicles.