Today’s Security at Risk One vulnerability is tied to the common use of virtual private networks (VPN), which allow employees to work remotely. Improperly configured VPNs often lack proper network segmentation, protective measures and security controls. When a business network is compromised, hackers can “jump the fence” into the ICS network as part of an activity called “pivoting.” Pivoting typically does not happen immediately. It is an insidious, carefully orchestrated process. Hackers often maintain a network presence for weeks and months carrying out research, monitoring and reconnaissance activities – designing the right opportunity for an attack. Many believe that “air-gapped” networks—networks that rely on autonomy from the business network, without WiFi or other connections to the internet—is inherently secure. But while this autonomy is an important security layer, it does not always fully protect the network. Much of the equipment in nuclear and other power plants is highly durable and redundant, with long life expectancies. Most components were designed before cyber security was a major consideration. Therefore, these devices must be properly updated with software and firmware much like our computers at home and work. In order to complete the updates, USB or other devices are connected to the air-gapped devices, which essentially breaks the “gap.” Controls must in place to protect the network from malware or viruses that may be harbored on devices breaking the gap. Black & Veatch has a long history of utility support for network, IT and OT security, resilience and risk management. We recognize that critical infrastructure development requires critical infrastructure protection. That’s why we offer our clients a Security Risk Framework. Clients that implement the comprehensive Security Risk Framework reduce their vulnerabilities, maximize budget effectiveness, minimize the consequences of a breach, and enhance response and recovery. The framework provides for continuous improvement, enabling clients to meet and maintain compliance with evolving regulatory requirements (e.g., NERC-CIP, NIST, AWWA and TSA). Contact us to learn more about what we can do for you.