Chip Scott, Justin Lowe, and Amanda Levin 2016-01-25 02:36:21
A Holistic Cyber Strategy Security must be organizational – simply complying will leave you vulnerable. Cyber incidents used to be sporadic. Now they’re front-page news. Sony Pictures Entertainment, Target, JPMorgan Chase, and Anthem count as just a few of the most recent casualties – now known not just for the products they sell and the services they provide, but also for the data breaches that have damaged their reputations. For utilities, security has been on the radar for some time now, with baseline standards under development from the early 2000s. The Energy Policy Act of 2005 created an Electric Reliability Organization (ERO) to develop and enforce mandatory cybersecurity standards. The North American Electric Reliability Corporation (NERC) was designated as the ERO in 2006 and has worked with electric power industry experts to develop the NERC Critical Infrastructure Protection (CIP) standards, which were approved by the Federal Energy Regulatory Commission (FERC) in 2008, making them mandatory for owners and operators of the bulk electric system. And these standards have been updated since 2008, as threats continue to evolve. The latest set of CIP standards, Version 5, which was approved by FERC in November 2013 with modifications, is set to take effect in April 2016, with the utility industry considering how it will comply this latest and even future versions. Yet even technical compliance will likely not prove sufficient to address the growing threats, as we’ve seen a noticeable uptick in cyber threats in the energy sector over the past few years. According to the U.S. Department of Homeland Security, 53 percent of the 200 incidents responded to by its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) between October 2012 and May 2013 were directed toward the energy sector. But beware a false sense of security. Utilities are not invincible to attacks. In fact, electric utilities today run a danger of getting lost in the weeds. They’re busy complying, but utility cyber standards are aimed only to protect critical assets. They don’t cover the whole business. The energy sector today faces unique threats to both its business and operations sides. On the business side, examples of cyber threats include data theft, denial of service attacks, web site defacement, and customer information disclosure or privacy breaches. On the operations side, cyber threats could target the generation and delivery of power. The greatest threat to electricity delivery is a sophisticated and coordinated cyber-physical attack on the operations side, aimed at causing power outages. These threats demand going above and beyond what the regulators want. After all, a big, newsworthy breach to an energy company could be catastrophic. The Strategy Defined For utilities to bolster their cyber defense, they will need to adopt a holistic cyber strategy across their businesses. We recommend that utilities identify an executive in the “C-Suite” to be placed charge. And here are some thoughts on what that responsibility might entail. First, put in place a cross-functional cybersecurity team, spanning information technology and also the operations side of the business, so as to scan the horizon for change and understanding the threats facing the organization in real time. Second, pay close attention to the human element. After all, that’s often the weakest. Check the people being recruited and monitor them continuously once they join the company. Third, make sure that cyber requirements are built into the supply chain. Cyber attacks increasingly are infiltrating organizations through vendors and support services. Make sure these vendors are secure before they enter your domain. Fourth, exercise and test your company’s overall cybersecurity protection on a regular basis. Techniques such as penetration testing have been used for a while now to check the technology being used. Firms should be also validating the human aspects of their cyber defense. Conduct social engineering campaigns on samples of the company. That’s a great way of raising awareness – to focus on specific individuals, who are likely to be targeted by hackers. Another highly effective way of helping people to understand the true risks would involve showing employees how a hacker can obtain their personal and work information and what they can do with that information once they have it in hand. Lastly, don’t overload your employees with rules and requirements, even as you do educate them and alert them to risks. For example, many companies’ cybersecurity awareness campaigns will consist of 20 things not to do, but most people will just remember one or two of those points, so the takeaway here is to keep it simple and continuous. Time is truly of the essence as electric utilities are rapidly undergoing a digital transformation to become what PA Consulting has dubbed, The Next Generation Utility. As utilities put more intelligent devices on the network and those communications become smarter and interconnected, it will prove ever more challenging to secure those devices, which do not necessarily fall under NERC and CIP regulations. In a bid to make power networks more reliable, utilities are deploying smart technologies to manage the networks better. The end result could be that reliability is adversely impacted as the solutions may make them unknowingly more susceptible to cyber events. The mindset right now among many electric utilities is that they are building a smarter network and that network needs to be in compliance. The most prudent course of action is for a system to be secure by design, meaning that when it is being created, the utility needs to understand the risks, perform a risk assessment and make the system secure as the utility is being designed. THE HITS KEEP COMING The story of ‘Ugly Gorilla’ In 2014, a cyber-attack perpetrated by “UglyGorilla” – a hacker alleged to be based in China–infiltrated the computers of a public utility company in the northeastern U.S. He plucked schematics of its pipelines, sought access to systems that regulate the flow of natural gas and channels, which could potentially cut off a city’s heat, or make a pipeline explode. Among UglyGorilla’s many energy industry quarries in 2012 were the e-mail accounts of executives and managers at utilities in Pennsylvania, New Jersey and Georgia. The list of examples goes on: • 2015: BlackEnergy malware targeted specific control systems in critical infrastructure • 2014: Havex attack targeted energy and utilities companies via spam emails and compromised vendor websites • 2012: Shamoon attack caused massive business disruption after around 50,000 computers were taken out of service in Saudi Aramco • 2011: Night Dragon malware stole valuable information from oil and gas companies • 2010: Stuxnet malware attacked the Iranian nuclear fuel processing industry. Yet consumers still expect their utility to be reliable and secure. Lives depend on it. –CS, JL, AL Chip Scott (Denver office), Justin Lowe (London), and Amanda Levin (Greater New York City) are energy and cyber security experts at PA Consulting Group. Mr. Scott focuses on system integration, and worked previously with Black & Veatch, Enspiria Solutions, and Schlumberger. Mr. Lowe specializes in energy sector cyber issues, with over a decade’s experience in industrial control systems and SCADA security. Ms. Levin is a journalist who worked previously with the Financial Times Group.
Published by Public Utilities Reports, Inc. View All Articles.
This page can be found at http://mag.fortnightly.com/article/Workforce+Management/2378109/288550/article.html.