Why 'secure' isn't secure enough in the utilities sector
With multiple vulnerabilities, companies should invest in a comprehensive cybersecurity approach that considers both protecting the communications layer and complementary physical security measures.
The following is a Viewpoint by Marco Berger, head of utilities and critical infrastructures vertical solutions, ECI Telecom
Cybersecurity of critical energy infrastructure is a growing concern because the industry is experiencing a significant overhaul as grids, power, water and gas become increasingly smart and automated. For utility companies, the consequences of inadequate cybersecurity include service and grid outages affecting thousands of customers, if not more. The “fourth industrial revolution,” if you will, demands major changes in the utilities sector’s technology deployments.
As awareness of this trend grows, federal governments insist that measures be enacted not just for companies that own and operate public utilities, but also for local, state and federal regulators tasked with ensuring the safety and reliability of critical services. Because of these factors, in early 2016, the Federal Energy Regulatory Commission (FERC) updated cybersecurity standards for U.S. electric utilities, a proactive effort to combat cybercrime.
- Transformative Initiatives - Decentralization (distribution and generation), automation and digitization enable unprecedented system-wide visibility and control for utilities operators, but open a myriad of entry points for hackers to exploit.
- Mobility - Vehicle-to-infrastructure communications require vehicles to communicate with the power grid, widely expanding the attack surface.
- Distribution - The shift towards incorporating more distributed energy resources in the last decade and embracing an energy cloud fed by varied generators such as wind, solar, tidal, nuclear, coal and gas creates many points of entry, expanding vulnerabilities within the grid.
- Smart Metering - Power distributors are moving to this more efficient pay-as-you-use model, which can be installed in nearly any location that uses power - home, business or other. These vulnerable entry points exponentially increase attack surfaces.
The challenges related to systemic transition — disruptive technologies creating multiple new entry points — showcase the difficulty utility companies must face to thoroughly secure themselves. As a result, by the end of 2017, the industry is forecasted to invest $1B-$7B in protecting energy systems against cyber-attacks.
Whatever you do, don’t stop modernization - IT and OT infrastructure
Integrating information technology (IT) and operational technology (OT), two previously segregated systems, may increase cybersecurity risk, but the continued modernization of these technologies facilitates better cybersecurity posture. As technology and market factors make it simply unrealistic to keep IT and OT separated moving forward, the most vulnerable entry points remain the endpoints — router ports, workstations, integrated access devices — because they are often overlooked and unsecured. Threats aimed at utilities are typically characterized by attacks coming from the IT towards the OT, from the OT to the IT and sometimes in the middle communications layer.
Threats coming from the IT towards the OT
An instance that took the path from IT to OT occurred this year in Ukraine, where attackers succeeded in taking control of workers’ workstations via their credentials and access allowances to freeze control panels, disrupt Supervisory Control and Data Acquisition (SCADA) and control stations, block customer calls towards emergency centers and more.
Breaches and operation disruptions can be caused via physical “tapping” on the communications optical, wireless and copper infrastructure. This method was used by attackers to infiltrate consumer credit agency Equifax on several occasions, causing a breach of at least 15 million customers’ credit and personal data, and a data leak of several third-party mobile apps used by the company for its customer services. These types of attacks can be prevented by implementing sophisticated encryption to secure communications traffic from Layer 1 up to Layer 7.
Threats coming from inside the OT
A notable recent attack that fits this attack path affected the San Francisco Municipal Transportation Agency (SFMTA). In this case, the agency’s ticket kiosks along the operational stations were targeted, disrupting billing operations for more than 24 hours and introducing malware intended to eventually disrupt the actual control and traffic of the entire system. Such attacks are also called Zero-Day-Attacks because they are typically performed by malware or worms never before tracked or identified. The best response to this type of attack is to utilize SCADA Deep Packet Inspection or Anomaly Detection tools.
The solution is secure, but not simple
As utilities discover they have already been targeted or attacked, they are racing to implement FERC and NERC requirements strategically developed based on past threats and attacks. Nevertheless, these security precautions, however necessary, involve expensive and sophisticated tools, services and policies, demanding long-term budget planning and allocation.
A healthy cybersecurity approach isn't limited to one or a few parts of a company, such as IT departments. In addition, adherence to self-decided standards, rules and practices must be both a top-down and a bottom-up responsibility flow. A company's security solution must be complementary to all current security approaches and will ultimately fail without company-wide awareness and implementation of practices and procedures.
To protect OT, companies should use their communications layer — the highway all services and applications run along — to more easily secure networks and systems. Since this layer connects the utility company network to the outside world, it’s the most vulnerable to, and most often used for, attacks by cybercriminals. At the same time, it’s a part of the network that cybersecurity solutions providers often overlook.
A reliable solution, therefore, must protect on a constant basis from threat actors attempting to carry out a variety of attacks, such as those originating from IT and aimed at the OT; originating in the OT and targeting networks affecting SCADA; or attacks where the hacker infiltrates the fiber network.
Unique utilities need unique solutions
Utilities have a steep learning curve when it comes to cybersecurity and have learned some crucial lessons in recent years. One of the most important findings is that cyberattacks are increasingly executed not by individuals or small groups, but by governments and large entities or “state actors”, who deploy massive resources and skills in order to be successful, with critical infrastructure as a major target.
They are also learning that cyberattacks are not exclusive to the new IP, TCP/IP-based infrastructure, but have also happened in the “considered-secure” legacy infrastructure as well, including TDM, SDH, SONET and old SCADA and PLC systems. A short search on the “dark-web” will reveal hacker tools available for use against all types of devices — legacy and next generation.
As a result of recent FERC and NERC regulations, most utilities now perform routine threat analysis scenarios and consultations as well as intensive staff training on data and cybersecurity practices, using the regulations as a framework. Based on the outcomes of the threat analyses, new cybersecurity elements are introduced both in the IT and on the OT networks and systems, such as: SCADA aware firewall, access control systems, smart CCTV systems, detection and prevention tools and systems, new policies and encryption for sensitive data and connectivity.
Many in the utilities sector may have never imagined that cybersecurity would be one of the major concerns and important investments of the 21st century. But as the industry evolves key aspects of its technological foundation, and vulnerabilities thereby multiply, a whole new world of cybercrime opens to the world of critical energy infrastructure. It’s essential to the ongoing success of utility companies that they invest in a comprehensive cybersecurity approach that considers both protecting the communications layer and complementary physical security measures.