Drive up to an industrial work site, or walk across a factory floor, and you're likely to see a familiar sign: "X days without a safety incident." Soon, corporate offices may sport a similar, cybersecurity-focused sign.
With the rising urgency of threats to the power grid, cybersecurity is becoming prioritized along with safety.
A strategy based on rules, enforcement and awareness needs to be applied to the power, oil and gas sectors, according to PAS CEO and Founder, Eddie Habibi.
"You can never avoid cyber incidents," Habibi told Utility Dive. "It's almost like safety. We aim for zero safety issues. That's the motto of every industrial company. However safety incidents do happen. Cyberattacks are inevitable. They will happen to some companies."
On-the-job safety has become a primary concern in the last 50 years, since about 14,000 workers were killed in workplaces in 1970. The Occupational Safety and Health Administration was established in 1971, issuing rules and standards aimed at making workplace safety a priority, and since then the number of fatalities has fallen significantly — even as the number of workers has boomed. In recent years, workplace fatalities have hovered around 5,000.
Coincidentally, the first computer virus, known as Creeper, was created in the early 1970s. But in the five decades since, the threat has grown. Not only have hackers become more sophisticated, but industrial control systems (ICS), which had been air-gapped from internet-connected corporate systems, are increasingly online and vulnerable.
So while those industrial systems include security measures and training protocols, Habibi says the growing connections mean a focus on cybersecurity must be paramount in corporate offices. And to be successful, the focus on security must be driven from the top-down and made to be a constant part of business culture.
"Inadvertent human error continues to be the number one threat to cybersecurity, along with safety in the industrial sector, including the electrical grid," Habibi said.
Here are five ways companies in the utility sector can improve awareness of cyberthreats, and better protect employees, customers and data.
1. Make cybersecurity second nature
There are essentially two security tracks which companies must prioritize: industrial systems, which have tools and trainings, and corporate systems, which often do not. Making cybersecurity a part of business culture on both sides is vital.
"The most important things is cyber awareness training," said Habibi. "There must be a constant awareness."
Consolidated Edison, which serves about 3.4 million customers in the New York City area, has made cybersecurity a focus, creating a dedicated security team that includes former law enforcement personnel. "It's important to create a culture of awareness and vigilance throughout the entire company, not just with the cyber experts," ConEd representative Allan Drury told Utility Dive.
Cyberthreats and ways to improve security "are frequent topics of conversation and teaching here," said Drury. "We see cybersecurity as a public safety and customer-protection issue."
"Cyber awareness training needs to start in the boardroom."
PAS CEO and Founder
2. Take a top-down approach
New initiatives and training are often rolled out through human resources or within a corporate group, which can lead to the directives being abstract or lacking context. One way to improve the stickiness of cyber training, is to have the focus come from company leadership.
"Cyber awareness training needs to start in the boardroom," said Habibi. For instance, an initiative could be sponsored by a company's chief, encouraging their subordinates to tackle training and amplify the message.
"The CEO needs to sponsor this, mandating that the CIO and CISO embrace the idea," he said. "That's what will drive awareness and cultural change."
3. Beware stranger danger!
By now, many might think internet safety tips are so pervasive that they are unnecessary, particularly at higher levels in executive positions. But it was John Podesta, Hilary Clinton's campaign manager, who fell for a phishing email that played a part in her doomed presidential bid.
Sure, it may be obvious that a Nigerian prince is not going to send millions in exchange for your banking information. But phishing emails have gotten more sophisticated, leading to the term "spear phishing," where malicious emails are targeted towards specific companies or individuals, rather than broad, generic and more obvious attempts.
"Don't click that email," said Habibi. "You would be amazed how many professionals still do that."
That same logic applies to removable media like USB drives, whether found in the parking lot or free at a trade show. "Don't pick it up and plug it into your laptop," said Habibi.
These reminders must be a constant, particularly as hackers become more sophisticated. Four years ago the U.S. Department of Homeland Security sounded the alarm over malware targeting energy control systems, noting "malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment."
At ConEd and many companies, emails from external sources are flagged, said Drury. "It is clear that phishing is a favorite tactic of would-be attackers ... The banner tells the employee to be cautious."
The utility urges employees to forward suspicious emails to ConEd's security experts. The company also blocks e-mails coming from outside the United States.
4. Create ongoing safety campaigns
Habibi also recommends adopting other tactics that helped OSHA reduce workplace injuries. "Safety stories" are known to be an effective way of creating a workplace culture focused on safety, and the same could work for cybersecurity, he said.
"Start every meeting with a cybersecurity story or awareness moment," he said. "That's what I call cyber awareness training and cultural change. At the highest level, it is awareness."
ConEd's approach to cybersecurity is to make continuous improvements, Drury said.
"It's important to create a culture of awareness and vigilance throughout the entire company, not just with the cyber experts," he said. "Cybersecurity — and the importance of it — are frequent topics of conversation and teaching here."
The North American Electric Reliability Corp.provides ongoing training as well. Bill Lawrence, the director of NERC's Electricity Information Sharing and Analysis Center (E-ISAC), said the organization provides the industry education and training opportunities that include monthly webinars featuring industry and government security experts.
"Utility employees already receive rigorous cyber or physical security education and training from a variety of grid security organizations including the E-ISAC," Lawrence told Utility Dive by email.
5. Take part in NERC events
Every two years NERC hosts GridEx, a simulated attack that allows participating utilities to run through cyber response plans, strengthen connections between organizations and individuals, and determine where improvements need to be made. In addition, NERC hosts an annual grid security conference, GridSecCon.
"Utilities are continually advancing and maturing their security efforts and even their non-technical staff are receiving cyber hygiene training to recognize and avoid cyber attack techniques."
Last year, more than 6,000 individuals participated in GridEx IV, along with 400 organizations. Participation has grown from two years ago, when 4,400 individuals and 364 organizations involved; in 2013, GridEx had 234 organizations and more than 2,000 individuals involved. The drill has been adjusted over the years to keep pace with threats; last year's iteration included "fake news" and disinformation campaigns via mockup social media sites.
The 2017 simulation revealed a need to build better communications between utilities and the vendor community.
The event focuses on establishing connections between utilities and any players likely to be involved in a cyberattack response, including the federal government, first responders and vendors.
"Utilities are continually advancing and maturing their security efforts," said Lawrence, "and even their non-technical staff are receiving cyber hygiene training to recognize and avoid cyberattack techniques."