By Dana Pasquali
Cybersecurity has become a critical part of power grid operations as infrastructure ages and industrial control systems become more integrated and connected. Advanced sensors and automation have ushered in the “Industrial Internet” by connecting machines and maximizing data.
Outdated legacy systems, however, were not built to manage the potential pitfalls of connected systems. As a result, industrial control systems (ICSs) are exposed and vulnerable to sophisticated cyber threats. A recent report revealed hackers successfully breached the U.S. Department of Energy (DOE) 159 times between October 2010 and October 2014. Critical infrastructure has become a primary target for cyber attacks, and therefore must have a process in place for detection, response and recovery.
Many utilities operators are challenged with:
- Inexperience in dealing with security issues
- Legacy equipment from various vendors with no unified security measures
- Difficulties managing remote connections.
Not only must power grid organizations keep operations online for customers amidst equipment failures and extreme weather challenges, they also need to manage security risks to reduce vulnerabilities. To do so, utility organizations should follow three industry best practices that help maintain secure operations, including:
- Understand current security posture: develop a policy through a site assessment, uncovering where vulnerabilities exist in your site, as well as your policies and procedures. This can be according to a standard in alignment with best practices.
- Focus on centralized security management: With one place to be able to see and manage the protection of your industrial control system, you have better visibility in order to gain insight and take action at a site level. By monitoring and mitigating vulnerabilities centrally through multiple layers, you create a true defense-in-depth approach.
- Continue maintenance and assessment: Because the cyber landscape continually changes, maintenance and updates are an important function of security. Like any asset, a successful security program needs ongoing attention, and updating critical areas is key to making sure your posture evolves with persistent threats.
Cybersecurity challenges are not unique to any single industry, and as a result our country faces a shortage of qualified professionals to manage the daily threats and keep business operations running smoothly. Utility organizations, in particular, are confounded by both technical workforce shortages and limited security experience. The greatest threats to the network are people, whether that stems from lack of knowledge resulting in negligence, ineffective processes or inefficient solutions. If there aren’t informative training guidelines available and enforced within the organization, employees will not have a strong foundation of security awareness to inform their daily behaviors and job tasks.
Further, security requirements in the power industry are more complex than in many commercial sectors, because equipment and computers operate across different network layers to protect the most critical equipment at the industrial control level. Many SCADA systems and ICSs were also installed 10 or more years before current technologies and cyber security solutions existed. This results in vulnerabilities that cause loss of view, control or operations. Additionally, most organizations have multiple pieces of equipment from various manufacturers and generations, which make a unified security program difficult to implement and operate.
Even the latest technology has been developed with a focus on operational efficiency rather than security. With a wide range of systems operating across legacy hardware from remote locations, it’s very challenging for operators to manage secure connections and keep passwords updated. Both power generation and distribution can be disrupted through a remote connection breach.
Given the various challenges utility operators confront when managing security, it’s important that best practices are widely shared and understood to limit the number of vulnerabilities and risks for power grid operations.
Best Practices to Address Cyber Threats
Knowing the specific industry risks and looking at the three best practice areas on which to focus, the following ideas will help operators develop a much stronger security posture to ward off growing threats and assure business continuity.
- Current posture assessment. As the saying goes, “you don’t know what you don’t know.” The first step of assessment is understanding your gaps and being prepared to institute policies and procedures in the areas of people, process and technologies. If you don’t know where to start, standards are available based on industry and/or region to help provide best practices for companies to create a baseline security reference architecture that meets their needs.
- Centralized management and visibility. All organizations should have centralized management systems set up to ensure network access points are protected and continuously monitored. By running regular tests and documenting updates and configurations, operators are able to better assess vulnerabilities and keep track of threats entering their system. Potential threats can also be logged and notifications sent to the proper contacts through a centralized system. In addition, centralized management enables security experts to collect and store system components, indexing them for quick and easy retrieval. This approach provides clear accountability for any security incidents, unlike when information is fragmented. Centralized management can also help support strong password management, as well as enforce role-based access control, which requires every user to have a unique username and password. Restricting remote access to a small number of security expert operators dramatically reduces the risk of privileged user threats and remote access breaches.
- Maintenance and validated patch management. Due to the high frequency of attacks against the system, organizations must maintain regular maintenance intervals to keep systems up-to-date. First and foremost, updates to the firewall and IDS/IPS devices can help monitor or protect the control system network for known attack signatures and unusual network activity.
In addition to updating the firewall, utility organizations should have a validated patch management program to prevent unnecessary disruptions in both transmission and distribution. Invalidated patches can have operational and financial consequences, validation a crucial part of patching updates. With validated patch management, the patch is run in a virtual environment on-site or in a lab environment that mimics the plant environment to identify any incompatibilities that may exist before the patch is applied. This allows operators to determine what alterations need to be made to ensure uptime and protection against cyber security threats. Testing also demonstrates that the functional operation of the control and related interfaces, as well as the system communication, is not adversely impacted by the updates.
Industrial cybersecurity is no longer solely the security of assets, networks and data. Cybersecurity is integral to maintaining operations, compliance and safety. Many U.S. utilities are mandated to comply with NERC CIP and International Electrotechnical Commission (IEC) standards that dictate industrial security and remediation technology.
It would seem that everybody knows about cybersecurity, but few people know how to apply it successfully. A successful approach involves implementation and maintenance of up-to-date solutions, following the recommended best practices, and ensuring people are educated and trained. Employing multiple defensive services and technologies will also help utilities increase the reliability, availability, integrity and maintainability of their plant’s critical control systems and related networks.
Dana Pasquali has worked in the oil and gas, energy and chemical industries for the past 18 years within leadership product management, marketing and sales positions. She is currently the product line manager at GE responsible for cybersecurity solutions. Prior to that, Pasquali spent the last eight years leading product management teams at software companies serving the oil and gas and power industry. Pasquali has a bachelor of science degree in chemical engineering from Ohio State University.