The following is a guest post from Stan Pietrowicz, senior principal, and Tony Bogovic, vice president at analysis firm Vencore Labs. To submit a viewpoint article, please review these guidelines.
Calls for increased cybersecurity are putting pressure on organizations across industries. We’ve seen hackers target entertainment, retail and government organizations. These incidents brought cybersecurity into the spotlight and created a sense of urgency for executives to bolster security efforts.
Concerns are increasingly prevalent in the energy sector. U.S. electric utilities and critical infrastructure are prime targets. Threat actors have even shifted from enterprise attacks seeking information/data to attacks aimed at disrupting operations.
The most notable examples involved hackers targeting Ukraine utilities in December 2015 and again in December 2016. The 2015 attack involved substantial planning to gain credentials and access the distribution system, and it left about 225,000 customers without power. A year later, a similar attack cut power to parts of the Ukrainian capital of Kiev.
Another incident in Finland included a Distributed Denial of Service attack that cut off heat to two buildings. And most recently, the Petya ransomware cyberattack forced Ukraine’s national power grid company, Kievenergo, to shut off all of its computers, in additional to impacting operations of airlines, banks and a large energy company in Russia.
These are all examples of how hackers today are engaging in cyberattacks on connected infrastructure.
No public, Ukraine-like attack has happened in the United States, but utilities and other critical infrastructure organizations should be on high-alert. To operate safely, utilities need to recognize that changes in their operational environments also mean new security practices are needed. As multiple services and networks are added, utilities need the ability to accurately assess risk and make appropriate security decisions.
New threat environment, greater complexity and automation require a new approach
United States utilities have been combating cyber threats for years and continue to face threats on a daily basis. However, the threat landscape is changing and continues to expand. The volume of attacks is going up, threats are more sophisticated and today’s Internet of Things (IoT) environment makes it difficult for utilities to rely on their traditional defenses.
Utilities are becoming increasingly complex, with greater dependence on energy automation, increasingly dynamic transmission and distribution systems with more distributed intelligence and field sensors, all tied together over a growing heterogeneous wide area network infrastructure often relying on wireless networks.
These smart energy systems offer improved reliability and operational benefits, but they also introduce potential vulnerabilities by increasing a utility’s overall attack surface. Utilities need to manage these risks, beginning with a thorough understanding of the real-world weaknesses inherent in their networks and solutions.
The bottom line is U.S. electric utilities and other critical infrastructures need to be more proactive and thorough in their approach to identifying vulnerabilities and making better decisions to protect against attacks.
Four-quadrant security assessment
To better protect themselves, utilities need to gain a clearer understanding of where vulnerabilities exist across their systems. This will help leadership make informed decisions on how to mitigate and manage risk through processes and IT investments.
Ultimately, providers need to go beyond the traditional network assessment and adequately cover the unique nature of embedded Industrial Control Systems (ICS) systems. The four domains that must be covered today are:
- Core network infrastructures;
- Software and management applications;
- Embedded hardware and firmware, and;
- Wireless communications.
Most utilities conduct some network security and software assessment, including using penetration testing techniques. But these tactics alone aren’t enough to fully capture the threat landscape for utilities with increasingly complex networks. Utilities today need to expand evaluations to fully capture the new pieces of their operations.
Traditional security assessments don’t account for the growth of wireless networks and embedded intelligence. Advanced smart grid deployments are harnessing wide spread wireless systems that connect field devices, and utilities must operate under the assumption that some devices could fall into the wrong hands and become an attacker’s tool.
The utility industry’s growing dependence on wireless network solutions, such as Low-power WANs (LPWANs), means the network comes to the attacker. Many of these wireless networks have historically been prone to vulnerabilities, making it imperative to closely examine new wireless deployments and validate that expected controls are indeed working.
How many utilities can say they have validated the encryption of information over-the-air or can demonstrate that the privacy of usage data is indeed protected beyond possibly a configuration setting in their management system?
The answer today is not nearly enough, as most utilities haven’t expanded their security capabilities in step with their operational advancements.
Network and software assessments needs to be supplemented with embedded hardware/firmware analysis and wireless communications analysis to deliver a more complete picture of a utility’s security posture. Individual analysis of these areas is helpful, but a comprehensive, multi-pronged assessment will deliver deeper insights by comparing results and data to evaluate cross-quadrant vulnerabilities. This is extremely helpful because identifying some threats requires recognizing indicators in different areas. Without cross-quadrant analysis capabilities, utilities can’t see this potential danger.
This four-quadrant assessment methodology is designed to help providers evaluate their preparedness, emulating real-world attacks to test if a utility’s environment is vulnerable. More broadly, understanding how weaknesses in each quadrant can be linked together to create a more profound breach provides a clearer understanding of the strengths or weaknesses in these complex systems.
Initiating change today
Regardless of the catalyst, every organization needs to adapt their security philosophy to meet the challenges of an ever increasing and challenging threat landscape. This is especially true for organizations operating critical infrastructure, from electric, gas and water utilities to healthcare systems and intelligent vehicles leveraging telematics.
The good news is the multi-faceted assessment approach was developed and tested with a wide range of technologies, and it has already been used successfully across multiple industry sectors. Premium content providers and video delivery network operators have applied it for many years, ironically making your cable box in your family room more secure than most ICS and metering equipment.
Protecting the grid and critical infrastructure is too important to leave to chance. Organizations need to understand what’s happening across their environment. Having the ability to analyze and test for vulnerabilities before solution deployments, as well as throughout the product lifecycle, is critical for long-term grid security.
There is no silver bullet answer to combating threats. But having a thorough understanding of your strengths and weaknesses and validating your expected security controls with a “trust, but verify attitude” is your first step to avoid a potentially devastating attack.