The cyber threat to grid reliability
Six action areas for protection of utility operations
The delivery of power and water supply has gone digital and this has altered the risk landscape for utilities. Threats to bulk electric systems (BES) are no longer limited to physical attacks. In today's business landscape cyber threats and attacks to BES could lead to serious business issues and public safety concerns.
Cybersecurity is at the top of our national agenda, and utilities are a fundamental of our national critical infrastructure. Until recently, the industry has tended to look at cybersecurity as IT’s problem. Today, we know that cyber threats can impact the Bulk Electric System (BES) and become a serious business and public security problem.
Cyber–attacks can lurk as invisible bits of code planted within substation devices–code that can be activated remotely to unleash system unreliability, outages, or in extreme cases, an impact to safety. Though IT professionals have been combating cyber–attacks for more than two decades, this is a relatively new challenge in the operational technology (OT) domain. Addressing it requires new technology innovation, advanced monitoring operations, executive engagement, and a risk-oriented, multifaceted program to be secure, vigilant and resilient.
Skeptics of the impact of cyber threats on BES reliability may ask, “Isn’t it easier to launch a physical attack?” In short, the answer is a resounding “No!” Physical protections are required at substations, control centers and other facilities, and there will always be the risk of a physical incident, but the digital transformation of power and water delivery has changed the business risk landscape.
Consider the ease with which a single individual or coordinated terrorist group or nation state could launch a cyber–attack from 20,000 miles away–without geographic limits, without the risk of physical harm to themselves, and shrouded by the relative anonymity of the Internet. It remains a critical regulatory and ethical obligation to protect consumer credit card and personal information; a data breach can have serious regulatory and reputational impact, but disruption to the BES could arguably cause far greater harm to business performance, national security, and public safety.
Six areas of action to get started on a BES cyber risk program
1. Achieve NERC CIP 5 compliance but don't be blinded by it
NIST standards and regulations such as NERC CIP are essential reference points for protection of the BES, based on what is known to date about threats and cyber risks. But to get ahead of emerging threats, nothing takes the place of a risk-based program to address each organizations' unique conditions and environment. IT security teams and operations engineers remain on the front lines against BES threats, but business leaders must have enough understanding of the threat landscape and their risk environment to make sound decisions about how to shape the cyber risk program. Not all investments are equal in terms of risk management value. That many organizations are working with financial and other resource constraints makes it all the more important to focus first on areas of greatest business impact.
2. Institute a security lifecycle approach to managing the BES environment
IT security should not be an afterthought in the BES environment, or simply a set of technology-based controls. It should be an integral part of the design, operations, and ongoing maintenance routines. Important questions include:
- Have we limited access to BES-related resources to only the people who need access?
- Will third parties need access, and have we instituted the right policies and controls?
- Have we adequately considered security gaps when rolling out new initiatives?
- Do we have a well-disciplined process to upgrade BES devices?
- This cannot be an optional task; vulnerability management must become routine and executed with careful change management controls and pre-tested configuration standards.
3. Engage in cyber information-sharing
Most major cyber attacks, as discussed, occur not as single events but as strings of events over time. If viewed in isolation, it can be impossible to see a big picture attach "campaign." One of the leading ways to know what to look for, and to develop preemptive strategies, is to engage in information-sharing. This can include opening relationships with local law enforcement offices, participating in self-defined peer sharing, or joining sharing organizations such as the Electricity Sector Information and Analysis Center (ES-ISAC) or The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
4. Evaluate your monitoring capabilities
Many organizations have disparate monitoring components that provide visibility into particular types of devices, but few have the capabilities that enable cross-domain visibility and correlation. It's important to also integrate physical and IT monitoring systems. WIthout a single pane of glass and the ability to correlate seemingly disconnected events and activities, important symptoms or patterns of threat activity may be entirely missed, before it's too late to prevent major damage.
5. Undertake internal education and cyber awareness-building
Technology-driven security controls are only part of the picture. People are most commonly the weak link that attackers exploit. The entire organization must be on its toes, watchful for suspicious activity, and mindful of their part in protecting the company and the services they deliver to the public. Cyber security must be demystified for busines leaders who, ultimately, need to guide risk alignment, investments, and response in times of crisis. Effective collaboration must be established across the corporate and operational sides of the business. A cyber-aware workforce takes time to develop, but the time to get started is now.
6. Rehearse your incident response plans
Nothing will educate leaders and stimulate cyber collaboration better than rehearsingyour incident response plans and engaging in cyber war-gaming exercises. Most organizations have crisis response plans, but the scope may not be adequate for BES threats, or may segregate the corporate and OT aspects. White IT and OT teams will be essential in the technical work of analyzing and stopping the bleeding, a business leader needs to be at the helm, able to engage other senior leaders to make business continuity decisions, and rapidly interact with the public, local government, safety organizations, the media, law enforcement, vendors, industry groups, and others. the rehearsal is not a one-time pass/fail event. If is an opportunity to identify and remediate weak areas, both human and technical.