Utilities at Risk: Solutions at HandTerry Roberts
The global energy grid is an optimal first strike for any malicious military or economic campaign. And it doesn't take an "army" to make it happen. Even worse, because of the breadth (over 3,200 energy utilities companies in America) and the varying cyber maturity of smaller utilities, sophisticated hackers have already mapped our Energy Grid.
We must explore how one of the most critical of critical infrastructures, the Energy Sector, can move beyond traditional approaches. Employing National Institute of Standards and Technology (NIST) frameworks, Information Systems Security Officers (ISSO) and Cybersecurity Capability Maturity Models (C2M2) provide for good foundations, but best practices should now include risk monitoring, alerting and mitigation.
I come from a Cyber Intelligence and Global Risk background and have always considered the global or national Energy Grids as the logical top cyber targets. It is a "three-for-one" for highly skilled and motivated cyber hackers. By attacking the power grid, a bad actor can potentially take down specific regions upon which 1) governments, 2) societies and 3) economies are now entirely dependent.
A decade ago, focusing on the Energy Sector consumed my professional work. Ironically, I have not had the opportunity to explore it in "Today's Digital Age" until now. Cyber born vulnerabilities and risks across the energy arena are evolving and growing, and our collective focus and interest along with it.
As a Cyber Intelligence professional, I decided to re-investigate and evaluate the state of cyber resilience of the Energy Sector starting early in 2018. Over this past year, I attended or spoke at 5 key forums and had countless straight forward conversations with utility commissioners, regulators, and executives (in associations, companies and government entities) - over 75 conversations in total.
The conversations fell into 3 primary categories:
Enlightened interest: Please tell me what we can and should do that is not disruptive or costly.
I have that covered: Just talk with my cyber person - who is usually Utility and NIST smart, buts lacks broad knowledge of comprehensive cyber risk.
Cyber hurts my head: I don't want to implement anything that will anger my partners, customers or constituents.
Overall, Energy Sector entities are cognizant of current cyber threat actors and methods, and have shown a sincere interest in mitigating cyber risk factors on both the public and private side of the utilities industry. However, as much as we talk about resilience and assurance, even on a case by case basis, very little impactful progress has been made over the last decade.
The most common approach is "working to follow NIST and industry best practices" without any way of establishing a cyber resilience baseline, tracking progress over time or systematically identifying key cyber risks and trends in real time by utility sector or region. Frankly, cyber threat mitigation across critical infrastructure is ungoverned territory at a time of ever evolving and growing risk of cyber disruption.
My premise is: a few foundational and affordable "opt in" initiatives would dramatically raise the Utility Sector's resilience to cyber exploitation and potential "ownership" from state, terrorist or criminal hackers.
Over the past 6 months alone, conversations with U.S. utility providers, regulators, non-profits, and sector cyber experts have been nothing short of concerning. Current risk mitigation approaches appear to be limited to primarily self-reported implementations of selective best practices from NIST, ISSO, Center for Internet Security (CIS), and C2M2 standards. And while these are of course foundational and necessary, they are not sufficient against today's cyber threat vectors and actors. Current best practice standards do not provide real time insight into ongoing indicators of cyber vulnerabilities, risks, capability gaps, or sector-wide mitigation strategies, technologies or policies.
Let's be clear. Mere perceived compliance with industry standards is not even close to being safe in today's evolving threat environment. Modern utility system innovations provide significant exploit opportunities to a broad range of highly sophisticated actors because of the scope of services, the software linkages and dependencies and the growing complexity of utility system architectures.
Where do we stand now?
The global energy sector is under assault on a daily basis. It is a scary but straight forward scene to imagine. A scammer impersonating a service-desk operator in Australia convinces a staff member at a critical infrastructure operations facility to share verification credentials. Suddenly, that staff member's computer is under someone else's control. It's the hottest day of summer, and half of Sydney goes dark and citizens and businesses are left scrambling. The cascading effects go on and on. But is that realistic? Perhaps.
The Australian Energy Market Operator (AEMO) recently announced that it is "ramping up the nation's electricity infrastructure cybersecurity to protect the country's power network," the worlds longest single electricity grid. AEMO is planning to spend around $10 million towards developing a grid-wide cybersecurity program and establishing a Cyber Security Centre in Canberra. AEMO Director, Mr. Daly is trying to incorporate best practices into his organization's operations. "We're not looking to reinvent the wheel here," he said. "We're adapting a number of existing frameworks that work around the world."
In the U.S., the newly established Department of Homeland Security, National Risk Management Center (NRMC) is geared to tackling longer-term, systemic cyber threats that affect the public, private and critical infrastructure sectors. The NRMC lacks operational or regulatory powers, and therefore faces challenges in figuring out ways to nudge critical infrastructure industries towards systemic and impactful cyber security programs. Traditionally, agencies have more carrots or sticks to implement a comprehensive cyber risk management program.
What AEMO and the NRMC do not address, however, is how internally driven electrical grid processes, measures and metrics do not maximize available security and risk technology. These processes and information can easily and affordably be accompanied by open data sets, artificial intelligence (AI) driven analytics, real-time cyber risk ratings, continuous monitoring and risk prioritization to develop a more comprehensive and defensive security posture. And all from the outside looking in.
Why aren't these proven cyber risk capabilities being leveraged to provide critical indicators of cyber risk across both the U.S. and Australian Power Sectors? For the risks they help mitigate, the cost is potentially less than $6M annually, as demonstrated by recent pilot implementations in the Financial and Insurance Sectors.
The AEMO Cyber Security Center is getting closer, already having identified a short list of solutions to exchange threat intelligence with its partners. But an information sharing platform is just one piece of the puzzle.
Legislators in the U.S. are acknowledging the risks to the energy sector more explicitly, evidenced by the passage of the Cybersecurity and Infrastructure Security Agency Act of 2018. The law requires the development of a plan to protect the cyber side of power production, generation, and distribution systems, among other critical infrastructures. Three bills introduced in January also specifically address energy sector cyber risks: H.R. 370, S. 300, and H.R. 359.
While we are gaining some ground on protecting critical infrastructure, the risk environment continues to evolve. There must be a better understanding of the environment as a whole, beyond each individual power station.
As an example, consider this simplified risk trail facing Australia's largest power station, Eraring Power Station. The coal used to fire the plant is delivered by freight rail or truck. Perhaps Aurizon is the delivery company, whose operations extend to partnerships in China and India, among other places. Those operations also lead to several major ports, where the company contracts with an untold number of other operators who manage incoming goods and logistics. And this supply chain continues on and on, down to the supply of raw materials for the manufacture of rail cars or trucks.
With the complex and inseparable nature of business and online recordkeeping and communication, it is easy to pick out a few vulnerabilities in that thought experiment.
Taking advantage of today's commercial cyber risk capabilities makes the security challenge less daunting. With access to broad open network & Industrial Control System (ICS) data sets, AI driven analytics, and instrumentation, there are now commercial grade Information Technology (IT), Operational Technology (OT) and ICS risk rating capabilities that can be leveraged externally and internally. Attaining effective transparency, risk monitoring & mitigation is not an insurmountable task.
Here are a few ways to fully leverage current technology and take advantage of federally funded cybersecurity risk reduction programs, along with built-in tax incentives:
Create an automated, online annual cybersecurity survey (tailored to each Sub-Sector: Power, Water, etc.) that maps to Utility Sector Best Practices (from NIST, C2M2, ISSO and others as appropriate):
Updating and aligning current cybersecurity questionnaires, using more current frameworks to ensure best practices are still the best
Automating questionnaires to enable AI driven data analytics of trends and documentation of issues by region and sector
Providing seamless access to affordable and impactful risk mitigation initiatives, policies and services that map to key survey risk issues and capability gaps.
Implement affordable access to best of breed cyber risk ratings, continuous monitoring, risk alerting and mitigation services sector wide, enabling a majority of risks to be affordably identified and addressed in real time.
Implement Operational Technology (OT) and Industrial Control System (ICS) sensors and sandbox technologies that identify threat vectors and include honey pots to attract and trap adversaries.
ICS sensors, which are a subset of OT, provide an opportunity for improvement in unified monitoring and detection strategies to address threats. Radiflow is a leading provider of cybersecurity for ICS and Supervisory Control and Data Acquisition (SCADA) networks in the utility sector
Sandbox Technologies is a software management strategy that isolates applications from critical systems and other programs
Implement technologies in OT and ICS that identify threat vectors and include the use of honey pots to attract and trap adversaries. D3 Security is a single incident management solution that enables situational awareness across cyber threats, risk assessments and the status of compliance with standards such as North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC - CIP)
[Make an appointment with a WhiteHawk Cyber Analyst about optimal cyber resilience solutions for your utility or suppliers and vendors]
Utility regulators and executives can immediately explore, vet and refine the customizable implementation of one or more of the above impactful and affordable initiatives across their region, sector, company or association. All of these solutions are commercially available capabilities that would measurably impact the resilience of the Utility Sector.
Failing to transition to a truly resilient energy grid at all levels and make near term measurable progress to address key risks makes the rest of our critical infrastructure vulnerable to power disruptions and outages from sophisticated cyber hackers.
In a relatively low profit-margin industry ripe for exploitation and disruption, capitalizing on cutting edge technologies and practices will enable the systemic establishment of a new level of cyber resilience Sector wide. Platitudes of implemented "NIST" standards and guidelines are now foundational but not aspirational. In combination, these efforts must be at the very heart of energy sector business operations in order to tackle the ever increasing cyber security risks of today and the future. Fortunately, the solutions are affordable and accessible.
Do you need information on how to get started mitigating your risks? WhiteHawk can help by providing affordable access to best of breed risk rating and mitigation services across all Sectors.